CTI Submission: Https://blog.talosintelligence.com/python-version-...
In a recent cybersecurity revelation, Cisco Talos has uncovered a sophisticated campaign by the North Korean-aligned threat actor, Famous Chollima, deploying a Python-based remote access trojan (RAT) known as PylangGhost. This marks a significant shift in their tactics, as they continue to target individuals with experience in cryptocurrency and blockchain technologies, leveraging fake job opportunities to infiltrate systems.
The PylangGhost Campaign: A Deep Dive
The Famous Chollima group, also known as Wagemole, has been increasingly active since mid-2024, employing various methods such as the Contagious Interview (aka DeceptiveDevelopment) technique and deceptive job advertisements. These campaigns often culminate in the deployment of the GolangGhost RAT, particularly through ClickFix campaigns, where users are tricked into executing malicious commands. The discovery of PylangGhost, a Python variant of this RAT, signifies a strategic adaptation by the threat actor to broaden their reach and effectiveness.
Targeting Cryptocurrency and Blockchain Experts
The primary targets of this campaign are professionals with expertise in cryptocurrency and blockchain technologies. This focus suggests the group's intent to gain financial advantages by exploiting this sector. Famous Chollima employs a two-pronged strategy: they create fake employer personas to gather personal information from job seekers and deploy fake employees within targeted organizations.
The Deceptive Job Interview Scheme
The campaign's initial phase involves targeting software engineers, marketing professionals, designers, and other workers through fake recruiters. These recruiters lure potential victims to skill-testing pages, which are designed to mimic legitimate companies like Coinbase, Archblock, Robinhood, Parallel Studios, and Uniswap. This impersonation significantly enhances the credibility of the scheme, making it more likely for individuals to fall victim.
The Skill-Testing Page Deception
Once a target is identified, they receive an invitation code to access a testing website. This site prompts users to enter their details and answer skill-based questions. The sites are built using the React framework and share similar visual designs, regardless of the advertised position. After completing the questionnaire, users are invited to record a video for the interviewer and are prompted to grant camera access.
The Malicious Driver Installation Trick
The final stage of the deception occurs when users request camera access. The website then displays instructions to copy, paste, and execute a command purportedly to install necessary video drivers. This command varies based on the user's operating system and browser, using PowerShell or Command Shell for Windows and Bash for MacOS. However, instead of installing drivers, this command downloads and executes the PylangGhost RAT.
PylangGhost: A Python-Based Threat
The PylangGhost RAT is functionally equivalent to the GolangGhost RAT, but it is written in Python. The initial infection vector involves a command line instruction displayed on the fake webpage, which the user is misled into executing. This command uses either PowerShell Invoke-Webrequest or curl to download a ZIP file. This ZIP file contains the PylangGhost modules and a Visual Basic Script file. The VBScript file is responsible for extracting the Python library from “lib.zip” and launching the trojan by running a renamed Python interpreter with “nvidia.py” as the main program.
Inside the PylangGhost Architecture
PylangGhost is composed of six well-structured Python modules. While the rationale behind creating both Python and Golang variants remains unclear, code comments suggest that the threat actors did not use large language models (LLMs) to rewrite the code. The configuration module file (“config.py”) indicates that the Python version is 1.0, while the Golang version is 2.0. However, it is not definitively known if these versions are directly comparable.
Core Execution: nvidia.py
The execution process begins with “nvidia.py,” which performs several critical tasks:
- Persistence: It creates a registry value to ensure the RAT is launched every time the user logs in.
- System Identification: It generates a GUID for the infected system, which is used for communication with the command and control (C2) server.
- C2 Connection: It connects to the C2 server.
- Command Loop: It enters a command loop to receive instructions from the server.
Configuration and Command Handling
The “config.py” file specifies the commands that can be received from the C2 server, mirroring those in the Golang version. These commands allow for remote control of the infected system and the exfiltration of sensitive data. The “command.py” module defines function handlers for these commands, which include:
- COMMAND_INFORMATION (qwer): Collects system information such as username and OS version.
- COMMAND_FILE_UPLOAD (asdf): Enables file uploads to the infected system.
- COMMAND_FILE_DOWNLOAD (zxcv): Facilitates file downloads from the infected system.
- COMMAND_OS_SHELL (vbcx): Launches an operating system shell for remote access.
- COMMAND_WAIT (ghdj): Instructs the RAT to sleep for a specified duration.
- AUTO Commands (r4ys, 89io, gi%#): Steals browser information, including credentials and cookies.
- COMMAND_EXIT (dghh): Terminates the RAT.
Browser Information Theft
The “auto.py” module is dedicated to stealing stored browser credentials, session cookies, and data from various browser extensions. This includes information from password managers and cryptocurrency wallets such as Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink, and MultiverseX, making it a potent tool for financial theft.
Secure Communication: api.py
The “api.py” module handles communication with the C2 server, employing RC4 encryption to secure packets transmitted over HTTP. Although the data is encrypted, the encryption key is also sent within the packet structure, which raises questions about the overall security of the communication protocol. Each packet begins with a 16-byte MD5 checksum for data integrity verification, followed by a 128-byte RC4 encryption key and the encrypted data blob.
Data Compression: util.py
The “util.py” module is responsible for compressing and decompressing files, optimizing data transfer and storage.
Python vs. Golang: A Comparative Analysis
To understand the relationship between PylangGhost and GolangGhost, Talos compared the modules in both versions. The structure, naming conventions, and function names are strikingly similar, suggesting close collaboration between the developers or the possibility that the same individual developed both variants.
| Module | Python Name | Golang Name | Main Function Module |
|---|---|---|---|
| Main function module | nvidia.py | cloudfixer.go | |
| Configuration module | config.py | config/constans.go | |
| Main command loop | nvidia.py | core/loop.go | |
| Command handlers | command.py | core/loop.go | |
| Browser Stealer | auto.py | auto/ | |
| modules | |||
| File compression | util.py | util/compress.go | |
| Base64 message encoding | command.py | command/stackcmd.go | |
| Duplicate process check | nvidia.py | instance/check.go | |
| Communications protocol | api.py | transport/htxp.go |
Defense Strategies and Coverage
Cisco offers a suite of security solutions designed to detect and block this threat. These include:
- Cisco Secure Endpoint (formerly AMP for Endpoints): Prevents the execution of the PylangGhost malware.
- Cisco Secure Email (formerly Cisco Email Security): Blocks malicious emails used in the campaign.
- Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW): Detects malicious activity associated with the threat.
- Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud): Analyzes network traffic for potentially unwanted activity.
- Cisco Secure Malware Analytics (Threat Grid): Identifies malicious binaries and builds protection into Cisco Secure products.
- Cisco Secure Access: Provides secure access to internet, cloud services, and private applications based on Zero Trust principles.
- Umbrella: Blocks connections to malicious domains, IPs, and URLs.
- Cisco Secure Web Appliance (formerly Web Security Appliance): Blocks dangerous sites and tests suspicious sites.
- Cisco Duo: Provides multi-factor authentication to secure network access.
- Snort Subscriber Rule Set: Offers up-to-date protection through downloadable rule packs.
- ClamAV: Provides detections for the threat under the following signatures:
- Win.Backdoor.PyChollima-10045389-0
- Win.Backdoor.PyChollima-10045388-0
- Win.Backdoor.PyChollima-10045387-0
- Win.Backdoor.PyChollima-10045386-0
- Win.Backdoor.PyChollima-10045385-0
- Win.Backdoor.PyChollima-10045384-0
Indicators of Compromise (IOCs)
To aid in the detection and prevention of PylangGhost infections, the following IOCs have been identified and are available in the GitHub repository:
SHA256 Hashes
- a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a - auto.py
- c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b - auto.py
- 0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec - api.py
- 8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a - api.py
- 5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e - nvidia.py
- 267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3 - nvidia.py
- 7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32 - nvidia.py
- b7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5 - util.py
- fb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225 - util.py
- d029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd - command.py
- b8402db19371db55eebea08cf1c1af984c3786d03ff7eae954de98a5c1186cee - command.py
- 1f482ce7e736a8541cc16e3e80c7890d13fb1f561ae38215a98a75dce1333cee - config.py
- ed170975e3fd03440360628f447110e016f176a44f951fcf6bc8cdb47fbd8e0e - config.py
- 929c69827cd2b03e7b03f9a53c08268ab37c29ac4bd1b23425f66a62ad74a13b - config.py
- 127406b838228c39b368faa9d6903e7e712105b5ad8f43a987a99f7b10c29780 - config.py
- 0ec9d355f482a292990055a9074fdabdb75d72630b920a61bdf387f2826f5385 - update.vbs
- c2d2320ae43aaa0798cbcec163a0265cba511f8d42d90d45cd49a43fe1c40be6 - update.vbs
- e7c2b524f5cb0761a973accc9a4163294d678f5ce6aca73a94d4e106f4c8fea4 - nvidiaRelease.zip
- 28198494f0ed5033085615a57573e3d748af19e4bd6ea215893ebeacf6e576df - vdriverWin.zip
- fc71a1df2bb4ac2a1cc3f306c3bdf0d754b9fab6d1ac78e4eceba5c6e7aee85d - nvidiaRelease.zip
- d3500266325555c9e777a4c585afc05dfd73b4cbe9dba741c5876593b78059fd - nvidiaRelease.zip
C2 Servers
- hxxp[://]31[.]57[.]243[.]29:8080
- hxxp[://]154[.]58[.]204[.]15:8080
- hxxp[://]212[.]81[.]47[.]217:8080
- hxxp[://]31[.]57[.]243[.]190:8080
Download Host Names
- api[.]quickcamfix[.]online
- api[.]auto-fixer[.]online
- api[.]quickdriverupdate[.]online
- api[.]camtuneup[.]online
- api[.]driversofthub[.]online
- api[.]drive-release[.]cloud
- api[.]vcamfixer[.]online
- api[.]nvidia-drive[.]cloud
- api[.]nvidia-release[.]us
- api[.]autodriverfix[.]online
- api[.]camdriversupport[.]com
- api[.]smartdriverfix[.]cloud
- api[.]drivercams[.]cloud
- api[.]camtechdrivers[.]com
- api[.]web-cam[.]cloud
- api[.]camera-drive[.]org
- api[.]nvidia-release[.]org
- api[.]fixdiskpro[.]online
- api[.]autocamfixer[.]online
Fake Job Interview Host Names
- krakenhire[.]com
- yuga[.]skillquestions[.]com
- uniswap[.]speakure[.]com
- doodles[.]skillquestions[.]com
- www[.]hireviavideo[.]com
- kraken[.]livehiringpro[.]com
- quiz-nest[.]com
- www[.]smartvideohire[.]com
- www[.]talent-hiringstep[.]com
Conclusion
The deployment of PylangGhost by Famous Chollima represents a concerning evolution in their tactics. By leveraging Python, they have broadened their toolkit and maintained their focus on cryptocurrency and blockchain professionals. This campaign highlights the critical need for robust cybersecurity measures, particularly for individuals and organizations in the targeted sectors. Staying vigilant and implementing the recommended security solutions can help mitigate the risk posed by these sophisticated threats.