North Korean Threat Actors Deploy Python-Based Trojan Targeting Cryptocurrency Systems

A new Python-based remote access Trojan (RAT) identified as PylangGhost has emerged in cyber campaigns linked to the North Korean-aligned group Famous Chollima. Research from Cisco Talos highlights that this malware operates similarly to the previously documented GolangGhost, targeting individuals well-versed in cryptocurrency and blockchain technologies.

Fake Job Sites Deliver PylangGhost

Recent campaigns have seen attackers utilizing fake job interviews as a means to lure victims into executing malicious code. These operations primarily target Windows users with the Python variant, while the Golang-based RAT continues its assault on MacOS systems. Notably, Linux users are currently excluded from this wave of attacks.

The attack vector begins with fraudulent job postings, impersonating reputable crypto companies such as Coinbase and Uniswap. Jobseekers are directed to skill-testing websites developed with React, where they are prompted to enter personal information and engage in a series of tasks. Upon completing these tasks, users are instructed to record a video requiring camera access and are subsequently guided to install counterfeit video drivers via command line.

The malicious command initiates the download of a ZIP archive, which houses Python modules along with a Visual Basic script. This script unzips the archive and activates the Trojan using a disguised Python interpreter labeled nvidia.py.

PylangGhost Capabilities and Architecture

PylangGhost consists of six primary modules, all crafted in Python:

– nvidia.py: Initializes the RAT, ensures persistence, and establishes communication with the command-and-control (C2) server.
– config.py: Defines configuration settings and accepted commands.
– command.py: Manages C2 commands such as file transfers, OS shell access, and data exfiltration.
– auto.py: Focuses on stealing credentials and cookies from over 80 browser extensions.
– api.py: Facilitates encrypted communication with the C2 server using RC4 encryption.
– util.py: Handles file compression tasks.

This malware grants attackers the capability to remotely control infected machines, upload or download files, and extract sensitive information, including credentials from services like Metamask, 1Password, and Phantom.

Close Parallels with Golang Version

A detailed comparison of the module structure and naming conventions between the Python and Golang versions reveals significant similarities, indicating either a shared developer or close collaboration between the authors of both variants. Although the Python version is designated as version 1.0 and the Golang version as 2.0, researchers advise against drawing conclusions based solely on these version labels.

Cisco Talos has reported no instances of Cisco users falling victim to these attacks. Most of the identified victims are situated in India, and overall impact assessments remain limited according to open-source intelligence.