Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Info Stealing Malware. Show all posts
North Korea Hackers
Blockchain Crypto workers Info Stealing Malware Job Scam malware North Korea Hackers

Crypto Workers Tricked in Job Scams Involving New Malware Linked to North Korea

 



A new online scam is targeting people who work in the cryptocurrency industry, using fake job offers and interviews to trick them into installing harmful software on their devices.

According to a report by cybersecurity researchers at Cisco Talos, the attack involves a new type of malware called PylangGhost. It is a remote access tool also known as a trojan, built using the Python programming language. Once installed, it allows attackers to secretly control the victim’s computer and steal private data like passwords and session cookies.

The people behind the scam are believed to be tied to North Korean hacking groups, who have been linked to several past cryptocurrency-related cybercrimes. This time, they are pretending to be recruiters from well-known companies like Coinbase, Uniswap, and Robinhood to appear trustworthy.


How the Scam Works

The attackers set up fake job websites that look like they belong to real crypto companies. They then contact professionals in the industry, especially those with experience in blockchain development and invite them to apply for jobs.

Victims are asked to complete technical assessments and share personal details, believing it's part of the interview process. Later, they’re told to prepare for a video interview and are asked to install what is described as a “video driver” to improve camera quality. However, this download is actually the PylangGhost malware.

Once installed, the software can:

1. Steal login credentials from over 80 browser extensions (such as MetaMask, Phantom, and 1Password).

2. Allow attackers to access and control the computer remotely.

3. Stay hidden and continue running even after a system reboot.


Real-World Examples

Researchers say this method has already been used in India and other countries. Similar scams in the past included fake companies like “BlockNovas LLC” and “SoftGlide LLC,” which were created to look legitimate. In one case, the FBI had to shut down one of these websites.

In another incident, engineers at the crypto exchange Kraken discovered that one job applicant was a North Korean hacker. The person was caught when they failed basic identity checks during an interview.

The malware also has a history. PylangGhost is the Python version of an earlier program called GolangGhost, which was used to target macOS systems. The newer version is now aimed specifically at Windows users, while Linux systems appear unaffected for now.


Security Experts Call for Action

Cybersecurity experts in India say this growing threat should be taken seriously. Dileep Kumar H V, director at Digital South Trust, has recommended:

• Regular cybersecurity audits for blockchain firms.

• Stronger legal protections under India’s IT Act.

• National awareness campaigns and better monitoring of fake job portals.

He also stressed the need for international coordination, urging agencies like CERT-In, MEITY, and NCIIPC to work together with global partners to counter these attacks.


Why It Matters

These scams reflect a shift in tactics and deployment of new technologies, from hacking exchanges to targeting individuals. By stealing credentials or gaining insider access, attackers may be trying to infiltrate companies from within. As the crypto industry continues to expand and transcend boundaries, so do the risks, thus making awareness and vigilance more critical than ever.



Read more »
Sandman hackers
DreamLand Info Stealing Malware LuaDream Malware malware Sandman Sandman hackers

Sandman Hackers: Threat Actors use LuaDream Info-stealing Malware


Threat actors, known as 'Sandman,' have recently targeted telecommunication service providers located in the Middle East, Western Europe, and South Asia. Apparently, Sandman has used info-stealing software called 'LuaDream' to conduct its operations. 
 
The threat actors came to light in August 2023 when they were discovered by researchers from SentinelLabs in collaboration with QGroup GmbH. The malware has been named after the internal backdoor name 'DreamLand client.' 
 
To maximize its cyberespionage operations, Sandman maintains a low profile to evade detection, performs lateral movement, and maintains long-term access to compromised networks. 
 

How Does Sandman Operate? 

 
According to SentinelOne, Sandman initially acquires illicit access to a corporate network through stolen administrative credentials. Following this, Sandman uses 'pass-the-hash' exploits to retrieve and reuse NTLM hashes stored in memory to authenticate to remote servers and services. 
 

LuaDream Malware 

 
Sandman has been using a new modular malware called 'LuaDream' in its attacks, utilizing DLL hijacking on targeted systems. The malware derives its name from LuaJIT, a just-in-time compiler for the Lua scripting language. 
 
The malware collects data and manages plugins that extend its functionality, which are received from C2 servers and executed locally on the compromised system. 
 
The staging executed by LuaDream includes a seven-step in-memory process designed to evade detection. It is initiated by either the Windows Fax or Spooler service, which runs the malicious DLL file. 
 
Reports note that the timestamps of DLL files used for hijacking and attacks are evidently close, indicating that the files are customized to execute specific intrusions. 
 

Anti-analysis measures in the staging process include: 

 
- Concealing LuaDream's threads from debuggers. 
- Closing files with an invalid handle. 
- Detecting Wine-based sandbox environments. 
- In-memory mapping to evade EDR API hooks and file-based detections. 
- Packing staging code with XOR-based encryption and compression. 
 
LuaDream is composed of 34 components—13 core and 21 support—that use the ffi library and the LuaJIT bytecode in addition to the Windows API. 
 
While support components handle the technical aspects, including providing Lua libs and Windows API definitions, core components manage essential functions such as system and user data collection, plugin control, and C2 communications. 
 
Upon initialization, LuaDream links to a C2 server (via TCP, HTTPS, WebSocket, or QUIC) and transfers gathered data, including malware versions, IP/MAC addresses, OS details, etc. 
 
While some of Sandman's custom malware and C2 server infrastructure have been successfully exposed, its origin remains unknown. 
 
Sandman is now listed among sophisticated attackers targeting telecom companies for espionage using secret backdoors that are difficult to detect. 
 
 
Read more »
Telegram
Info Stealing Malware malware Prynt Stealer Telegram

The Prynt Stealer Malware Includes a Secret Backdoor, Hackers Steal Data from Credentials


Telegram channel used for attacks

Zscaler experts have found a Telegram channel-based backdoor in the info-stealing malware, which lets threat actors steal (secretly) a copy of the information extracted from the targets, it includes a secret backdoor in the code that gets in every variant and derivative copies of these malware strains. 

The backdoor sends copies of victims' stolen data gathered by other hackers to a private telegram chat monitored by the builder's developers. 

The unfortunate surprise isn't a novelty in the cybercrime landscape, earlier other malware were found to have a secret backdoor. 

What is Prynt Stealer?

Prynt Stealer is an info stealer that was found in April, it lets its operators extract credentials from web browsers, FTP/VPN clients, and messaging and gaming apps. 

The malware is based on open-source projects, this includes AsynRAT and StormKitty, and it extracts data stolen from victims via a Telegram channel. 

Prynt Stealer can be purchased in the underground market for $100 for a one-month licence and a lifetime subscription worth $900. 

How does the attack work?

Prynt Stealer has a code that is responsible for sending information to Telegram from StormKitty with a few trivial changes. Experts add that the info stealer avoids using anti-analysis code from either StormKitty or AsyncRAT. 

It makes a thread that activates the function called processChecker to constantly monitor the target's process list for activities like taskmgr, netstat, netmon, and wireshark. 

If any monitored processes are found, it bans the Telegram C2 (Command and Control) communication channels. 

Zscaler report says:

"The fact that all Prynt Stealer samples encountered by ThreatLabz had the same embedded telegram channel implies that this backdoor channel was deliberately planted by the author. Interestingly, the Prynt Stealer author is not only charging some clients for the malware, but also receiving all of the data that is stolen." 

Leaked copies used for attack

"Note that there are cracked/leaked copies of Prynt Stealer with the same backdoor, which in turn will benefit the malware author even without direct compensation.”

The experts also noticed leaked/cracked copies of Prynt Stealer that contained the same backdoor, which suggests that the malware author was able to get stolen data from these copies. 

Experts also found two more versions of the info-stealing malware named WorldWind and DarkEye that were written by the same author. 

What is DarkEye?

The experts observed that DarkEye is not mentioned or sold openly, but it is wrapped as a backdoor with a "free" Prynt Stealer builder. Threat actors use the backdoor with LodaRat and DarkEye stealer. 

The report concludes: 

"the free availability of source code for numerous malware families has made development easier than ever for less sophisticated threat actors. As a result, there have been many new malware families created over the years that are based on popular open-source malware projects like NjRat, AsyncRAT, and QuasarRAT. The Prynt Stealer author went a step further and added a backdoor to steal from their customers by hardcoding a Telegram token and chat ID into the malware.”



Read more »
Subscribe to: Posts (Atom)