Blog

North Korea targets crypto jobs with new malware

Photo of cryptobizinvest.com cryptobizinvest.com Send an email 2 weeks ago
0 0 2 minutes read


An actor aligned with North Korea targets job seekers in the crypto industry with new malware designed to steal passwords for crypto wallets and password managers.

Cisco Talos reported On Wednesday it found a new remote based Python Remote Access Trojan (Rat) called it “Pyhanghost,” which connects malware to a collective hacking with North Korea associated with “famous Cholima,” also known as “wagemole.”

The hacking group has nag

“Based on the advertised positions, it is clear that the popular Chollima has widely targeted individuals with past experience with cryptocurrency and blockchain technologies.”

Fake work sites and tries a cover for malware

Attacks have created fraudulent work sites that indicate legitimate companies, such as Coinbase, Robinhood and Uniswap, and victims are guided through a process of many steps.

This includes initial contact from Fake recruits sending invitations to test websites where information occurs.

Example of fake work website. Source: Cisco Talos

Next, the victims were attracted Video enabling and accessing the camera for fake interviews where they have been able to copy and implement malignant commands under the pretense of installing updated video drivers, resulting in their device’s compromise.

Payload targets crypto wallets

The Pyhanghost is a variant of the former Golangan Rat -Document, and shares similar operations, Cisco Talos said.

In implementation, the commands activate the remote control of the infected system and theft of cookies and credentials from more than 80 browser extensions, it reported.

It includes password managers and cryptocurrency wallets, including metamask, 1Password, Nordpass, Phantom, Bitski, Initiia, Tronlink and Mulivextex.

Instructions to download the payload. Source: Cisco Talos

Multitasking malware

Malware can perform other tasks and make many commands, including obtaining screenshots, managing files, stealing browser data, collecting system information and maintaining distant access to infected systems.

Related: Scammers use fake jobs in Crypto, ‘Grasscall’ meeting app to remove wallets

Researchers also noted that it is not likely that the threats of the actor use an artificial intelligence Language Language To help write the code, based on the comments made in it.

Fake work is not new

This is not the first time that hackers associated with North Korea use fake jobs and interviews to attract their victims.

In April, hackers linked to $ 1.4 billion bybit Heist are targeting crypto developers With fake recruitment tests infected with malware.

Magazine: Arthur Hayes does not care when his Bitcoin predictions are quite wrong