A North Korean cyber group called Famous Chollima had been openly duping blockchain workers through fraudulent cryptocurrency job websites. Cisco Talos recently detected malware named PylangGhost, which the group used to steal login credentials and access systems. The malware targets blockchain experts in India and other countries by pretending to offer them jobs with leading cryptocurrency firms.
Hackers reach out to blockchain experts by sending spoof recruiter messages through platforms like LinkedIn. Hackers send phishing links directing targets to fake job websites cloned from platforms like Coinbase, Uniswap, and Robinhood.
Upon expressing interest, hackers convince targets through a variety of job steps, some of them being fake online examinations. The process helps attackers to gather data about systems and user conduct with the element of stealth to avoid arousing suspicion.
Hackers conduct fake crypto job interviews
Next, they conduct a simulated video interview in which they ask victims to grant them access to cameras and microphones. On the call, they convince people to type some system commands by pretending to deploy a video driver update. They secretly install PylangGhost malware on the victim’s computer, allowing them to have full control over the computer.
This payload can steal login information that is stored inside more than 80 password managers and cryptocurrency wallet browser extensions. Some of them are NordPass, 1Password, MultiverseX, Bitski, Phantom, TronLink, and MetaMask. PylangGhost, when installed, silently takes screenshots, reads files, copies browser data, and monitors real-time PC actions.
Cisco Talos also linked the malware to a previous version referred to as GolangGhost, suggesting that the same threat actors have new versions. As for manual building based on code comments, group operations appear to be organized and sophisticated.
In a previous case this year, cyber thieves behind the $1.4 billion Bybit hack used job test scams to install malware. The two cases reflect the growing threat that North Korean-linked hackers pose, especially to Crypto and blockchain insiders.
