A recent threat has emerged in the cybersecurity landscape, with the Famous Chollima group deploying a new Python-based remote access Trojan (RAT) known as PylangGhost. This malicious software is targeting individuals with expertise in cryptocurrency and blockchain technologies, aiming to infiltrate their systems and extract sensitive information.
One of the tactics used by the attackers is the creation of fake job sites to lure victims into executing the malicious code. These fake job postings, often posing as reputable crypto companies like Coinbase and Uniswap, lead job seekers to skill-testing websites where they are prompted to input personal data and answer questions. Subsequently, they are instructed to record a video by granting camera access and installing fake video drivers through command-line input.
The installation process involves the download of a ZIP archive containing Python modules and a Visual Basic script. The script unzips the archive and launches the Trojan using a disguised Python interpreter named nvidia.py. PylangGhost comprises six main modules written in Python, each serving specific functions such as initializing the RAT, handling communication with the command-and-control server, and stealing credentials and cookies from browser extensions.
The capabilities of PylangGhost enable attackers to remotely control infected machines, transfer files, and extract sensitive data including credentials from popular services like Metamask and 1Password. Despite being a new variant, PylangGhost shares close similarities in module structure and naming conventions with the previously documented GolangGhost RAT. This suggests a potential collaboration between the authors of both variants.
While Cisco Talos has not reported any impact on Cisco users, the known victims of PylangGhost are primarily located in India. The overall impact of this new threat remains limited based on current intelligence sources. It is essential for users, especially those in the cryptocurrency and blockchain sectors, to remain vigilant and adopt robust security measures to protect against such cyber threats.