North Korean hackers have turned to info-stealing malware to attack cryptocurrency professionals across the globe. The Famous Chollima group orchestrates advanced attacks using bogus employment opportunities. Their primary objective is to undermine blockchain employees using these false campaigns. Cisco Talos has recently discovered the operation.

Key-Takeaways:

• Blockchain professionals fall prey to hackers promising them fictitious employment opportunities and pretending to work in organizations such as Coinbase and Uniswap.
• It is a malware written in Python that tries to steal credentials of browsers, remotely access systems as well as evading detection by encryption.
• The malware activities in North Korea have expanded in complexity and crypto assets and financial platforms have been under constant threat.

The Lure of Artificial Job Sites Necklaces Malware Distributors

Threat actors in North Korea develop scam career sites using the names of reputable companies such as Coinbase, Robinhood, and Uniswap. These counterfeit sites are used to distribute their info-stealing malware known as PylangGhost. 

The victims are invited by fraudulent recruiters to take up cryptocurrency roles. Professionals with experience of blockchain are mostly targeted in India by the attackers.

The fraudulent job portals direct the victims into multiple procedures aimed at installing malware that steals information. Targets are to fill in skill-testing websites where preliminary data collection takes place. 

The fake interviews involve allowing the access to video and the camera allegedly to perform the technical evaluation. As the sessions proceed, the info-stealing malware is downloaded on the victims without their knowledge, as they execute malicious commands.

PylangGhost: Info-Stealing Malware Attacking Windows Systems

PylangGhost is a Python-based variant of GolangGhost remote access trojan that has been previously documented. This info-stealing malware is specifically related to Windows operating systems and is very analogous to the previous one. 

The malware package comes along with a renamed python interpreter, named as nvidia.py. The main modules are six in nature and deal with persistence, system fingerprinting, file transfer and browser data theft.

The info-stealing malware harvests credentials of more than 80 browser extensions such as password managers and cryptocurrency wallets. Among the targeted applications are MetaMask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink, and MultiverseX. 

The malwares provides remote control access by creating HTTP packets encrypted with RC4. This info-stealing malware is hard to detect by system administrators owing to its high-level encryptions.

This is an info-stealing malware that is used to fulfill several malicious tasks other than just stealing credentials. The system is able to make screenshots, to operate files and to receive detailed system information. 

Using remote shell access, attackers are able to exercise persistent control over infected machines. The file uploading, downloading, and thorough system scouting can be performed through the info-stealing malware.

This info-stealing malware campaign targets browser session cookies as the main target. Cybercriminals collect access information to frequently used cryptocurrency sites and financial services. 

The set of commands used by the malware gives complete administrative access to infected machines. The security analysts state that this is an info-stealing malware that marks an important development in North Korean cyber hacking skills.

Successive Attacks and Current Threats

Famous Chollima has used comparable info-stealing malware campaigns to go after cryptocurrency developers in the past. In April 2024, in a Bybit hacking activity that created a $1.4 billion heist, similar hiring strategies were employed by the hackers. 

These were attacks that included sham job interviews, malware-laden tests of information theft scenarios on blockchain experts. The pattern shows that North Korea has remained particularly interested in infiltration of the cryptocurrency industry.

Since the second half of 2024, the malware campaigns of infostealing activities in the threat group have changed significantly. Security researchers discovered no signs of the malware development with the help of artificial intelligence. Lines of code comments indicate that this info-stealing malware was created by human programmers manually. The attack system is also very powerful though its development has been traditional.

Conclusion

Cryptocurrency-related employees around the globe are under threat by North Korean info-stealing malware campaigns. Such attacks mostly employ complex social engineering approaches such as false hiring plans. Organizations should embrace powerful security protocols and train the personnel to identify such threats.