North Korean hackers have been discovered posing as recruiters to trick crypto professionals into downloading malware onto their PCs.

A new cybersecurity threat has emerged which is targeting people in the cryptocurrency world. Threat actors, believed to be working on behalf of North Korea, are pretending to be recruiters from legitimate crypto companies. However, the job offers they’re sending are little more than a plot to install malware on the target’s PC. So, instead of undertaking an interview for a prestigious position, the victims are at risk of having their passwords and crypto wallet keys stolen. And, of course, there’s the digital disaster of gifting the hackers remote access to their systems.

PylangGhost: A Remote Access Trojan

The attack begins when a communication is received from what appears to be a reputable recruiter from platforms such as Coinbase, Uniswap, or Robinhood. Delivered via email, these messages appear convincingly and would appear to be sent from official domains. Additionally, the job descriptions perfectly match the skills of the targets. All of this conspires to make these offers seem legitimate.

Naturally, the targets are flattered to be approached by such a huge company in the crypto industry, and they’re only too happy when the attackers set up an interview. This interview typically involves completing assessments and answering a series of technical questions. Following these tests, the fake recruiter will then ask the victim to install a video driver to help facilitate some interview software. Unfortunately, this is far from a video driver – it’s malware.

The malware at the center of the attack is a remote access trojan (RAT) named PylangGhost. As with all RATs, PylangGhost gives the attackers full access – under a stealthy cover – to the victim’s PC. This enables the hackers to quietly harvest sensitive data such as login credentials, browser data, and crypto wallet information. In total, PylangGhost has the capabilities to target over 80 separate browser extensions such as MetaMask, 1Password, and Nordpass.

So far, the attackers have focused their attention on crypto professionals based in India. However, due to the success of the malware, it’s likely that it will begin to spread globally in the near future.

How Do You Avoid Falling Victim to PylangGhost?

 

Your business may not be based in the crypto industry, but that doesn’t mean you won’t be targeted by a similar attack in the future. Therefore, it pays to know how to keep your defenses fortified against such an attack. To give you a helping hand, we’ve put together our three top tips for keeping safe:

1. Always Verify Recruiters: If you or your employees are contacted about a job offer, don’t assume it’s genuine. Always check the recruiter’s credentials and verify that their email address matches the company’s domain. Ultimately, the only way to be 100% sure is to contact the company through its official website – or telephone them – to verify the offer.
   
2. Never Install Unknown Files: It’s highly unlikely that a potential employer will ever ask you to install software as part of an interview process. Accordingly, if a recruiter does ask you to download software or run code, this should immediately ring alarm bells. In these instances, terminate any communications and avoid clicking on any links or files in email or messaging apps connected to the recruiter.
3. Use Virtual Environments: If you do feel confident that a file or code is genuine, it’s useful to first run it in a virtual environment. These “sandboxes” – which include VMware and VirtualBox – allow you to isolate programs from your main system and execute them without fear of malware taking hold.

For more ways to secure and optimize your business technology, contact your local IT professionals.