A new Python-based external access Trojan (Rat) known as Pylangghost is used in cyber campaigns that are attributed to the famous Chollima of the North Korea-oriented group.
According to research by Cisco Talos, this malware, functionally comparable to the previously documented Golangghost, is used to direct people with experience in cryptocurrency and blockchain technologies.
Fake job locations deliver pylangghost
In recent campaigns, the attackers used fake interviews to mislead victims to perform malignant code. These campaigns are specifically aimed at Windows users with the new Python variant, while the Golang-based rat is still used against macOS systems.
Linux users are excluded from the current activity of activities.
The attack starts with fraudulent vacancies, which often occur as well -known cryptomabins such as Coinbase and Uniswap.
Jobs Iscaster are led to skill test websites built with the React Framework, where they are asked to enter personal information and complete a series of questions.
After completion, users are asked to record a video by providing camera access, followed by instructions to install fake video duration programs through order control input.
Read more about Social Engineering -Tactics: 92% of the organizations affected by credential compromise of social engineering attacks
The malignant assignment activates the download of a ZIP archive with Python modules and a visual basiccript. This script rides the archive and launches the Trojan with the help of a disguised Python interpreter called nvidia.py.
Pylangghost -Possibilities and Architecture
Pylangghost consists of six main modules, all developed in Python:
-
NVIDIA.PY initializes the rat, provides persistence and establishes communication with the command-and-control (C2) server
-
Config.py defines configuration -settings and accepted assignments
-
Command.py provides C2 assignments such as file transfers, OS -Shell -access and data -sex filtration
-
Auto.py specializes in stealing references and cookies of more than 80 browser content
-
API.Py manages encrypted communication with the command-and-control (C2) server using RC4 coding
-
Util.py is responsible for file compressing tasks
With the malware, attackers can operate infected remote machines, upload or download files and extract sensitive data, including references from services such as Metamask, 1Password and Phantom.
Close parallels with Golang version
A comparison of modulent structure and naming conventions between the Python and Golang versions reveals striking similarities.
This suggests a shared developer or close cooperation between authors of both variants. Although the Python version is marked as version 1.0 and the Golang version as 2.0, researchers warn about making assumptions based exclusively on these versions numbers.
Cisco Talos has not found any evidence that Cisco users have been affected. Most well-known victims so far are in India and the overall impact is limited on the basis of open-source intelligence.