FOCUS MODE
EXTRACT IOC
Threat Research

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Unit42
Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware
The article discusses Slow Pisces, a North Korean state-sponsored hacking group focused on cryptocurrency theft. The group employs social engineering, particularly on LinkedIn, to deliver malware disguised as coding challenges to cryptocurrency developers. They successfully stole over billion in 2023, using clever tactics that involve fake applications and supply chain compromises. The report also highlights their advanced operational security and techniques that obfuscate malware execution. Affected: cryptocurrency sector, LinkedIn, GitHub

Keypoints :

  • Slow Pisces, also known as Jade Sleet, targets the cryptocurrency sector to fund the DPRK regime.
  • The group impersonates potential employers on LinkedIn to engage cryptocurrency developers.
  • Malware disguised as coding challenges is distributed through benign-looking PDFs and GitHub repositories.
  • They have reportedly stolen over billion in cryptocurrency through various methods in 2023.
  • The FBI attributed a 8 million theft to Slow Pisces in December 2024.
  • Recent thefts include a notable .5 billion from a Dubai cryptocurrency exchange.
  • The group utilizes advanced methods such as YAML deserialization and EJS escapeFunction for obfuscation.
  • Palo Alto Networks’ Next-Generation Firewall provides protection against these threats.
  • Victims are encouraged to report suspicious activity to improve safety against such campaigns.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Slow Pisces uses HTTPS for command-and-control communications.
  • T1203 – Exploitation for Client Execution: Malware is delivered through disguised coding challenges in PDFs and GitHub.
  • T1064 – Scripting: The group employs Python scripts leveraging YAML deserialization to execute malicious payloads.
  • T1059.003 – Command-Line Interface: The RN Loader obtains commands via a command loop from the C2 server.
  • T1078 – Valid Accounts: The attackers impersonate legitimate accounts on LinkedIn to initiate contact with potential victims.

Indicator of Compromise :

  • [Domain] getstockprice[.]com
  • [Domain] cdn[.]clubinfo[.]io
  • [Domain] update[.]jquerycloud[.]io
  • [IP Address] 70.34.245[.]118
  • [SHA256 Hash] 47e997b85ed3f51d2b1d37a6a61ae72185d9ceaf519e2fdb53bf7e761b7bc08f

Full Story: https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/

Views: 24

Tags: LEARN, PAYLOAD, CLOUD, FIREWALL, MACOS, PASSWORD, DNS, HUNTING