A new Python-based remote access Trojan (RAT) known as PylangGhost is being deployed in cyber campaigns attributed to the North Korean-aligned group Famous Chollima.
According to research from Cisco Talos, this malware, functionally similar to the previously documented GolangGhost, is used to target individuals with experience in cryptocurrency and blockchain technologies.
Fake Job Sites Deliver PylangGhost
In recent campaigns, the attackers have been using fake job interviews to trick victims into executing malicious code. These campaigns specifically target Windows users with the new Python variant, while the Golang-based RAT continues to be used against MacOS systems.
Linux users are excluded from the current wave of activity.
The attack begins with fraudulent job postings, often impersonating well-known crypto companies like Coinbase and Uniswap.
Jobseekers are led to skill-testing websites built with the React framework, where they are asked to input personal data and complete a series of questions.
Upon completion, users are prompted to record a video by granting camera access, followed by instructions to install fake video drivers via command-line input.
Read more on social engineering tactics: 92% of Organizations Hit by Credential Compromise from Social Engineering Attacks
The malicious command triggers the download of a ZIP archive containing Python modules and a Visual Basic script. This script unzips the archive and launches the Trojan using a disguised Python interpreter named nvidia.py.
PylangGhost Capabilities and Architecture
PylangGhost is composed of six main modules, all developed in Python:
-
nvidia.py initializes the RAT, ensures persistence and establishes communication with the command-and-control (C2) server
-
config.py defines configuration settings and accepted commands
-
command.py handles C2 commands like file transfers, OS shell access and data exfiltration
-
auto.py specializes in stealing credentials and cookies from over 80 browser extensions
-
api.py manages encrypted communication with the command-and-control (C2) server using RC4 encryption
-
util.py is responsible for file compression tasks
The malware enables attackers to remotely control infected machines, upload or download files and extract sensitive data, including credentials from services like Metamask, 1Password and Phantom.
Close Parallels with Golang Version
A comparison of module structure and naming conventions between the Python and Golang versions reveals striking similarities.
This suggests a shared developer or close collaboration between authors of both variants. Although the Python version is marked as version 1.0 and the Golang version as 2.0, researchers caution against making assumptions based solely on these version numbers.
Cisco Talos has found no evidence that Cisco users were affected. Most known victims so far are located in India, and the overall impact remains limited based on open-source intelligence.