Chollima Hackers Target Windows and MacOS with GolangGhost RAT

A sophisticated North Korean-aligned cybercrime operation, known as Famous Chollima, is currently targeting professionals in the cryptocurrency and blockchain sectors, primarily in India, by deploying both Windows and macOS versions of a remote access trojan (RAT) previously labeled GolangGhost.

Security researchers at Cisco Talos have uncovered a new Python-based variant of this malware, called PylangGhost, adding another layer to the group’s arsenal.

Fake Job Interviews: A Vector for Malware Delivery

The attack campaign is built around the creation of highly convincing fake job interview websites that impersonate legitimate cryptocurrency and fintech firms such as Coinbase, Archblock, Robinhood, and Uniswap.

Prospective job applicants, typically with significant experience in cryptocurrency or blockchain, are invited to register and undergo skills testing.

These websites, largely hosted on React-based platforms, maintain a consistent look irrespective of the targeted positions.

Once a candidate completes the questionnaire and submits personal information, they are prompted to record a video interview.

At this stage, the website requests camera access and subsequently instructs the user to copy, paste, and execute a command in their operating system ostensibly to install necessary drivers.

Depending on the victim’s system, the instructions are tailored: Windows users receive PowerShell or Command Shell commands, while MacOS users are given Bash shell instructions. This step initiates the download and execution of the malware payload.

Technical Details: PylangGhost and GolangGhost RAT Functionality

PylangGhost is a Python-based RAT that is functionally similar to the earlier GolangGhost, which has already been well analyzed in previous threat intelligence reports.

The attack begins with the target being tricked into running a script that downloads a ZIP archive containing the malware modules and a VBS script for Windows-based attacks.

The VBS script unpacks the Python library and launches the RAT by running a specially named Python interpreter with the file “nvidia.py” as the entry point.

PylangGhost consists of several modular components:

• nvidia.py: Executes the main loop, establishes persistence by adding a registry value, generates a unique GUID for C2 (command and control) server communication, and manages the remote access loop.
• config.py: Defines commands and configuration variables, mirroring those found in GolangGhost.
• command.py: Handles commands received from the C2 server, such as file upload/download, shell access, and stealing browser credentials/cookies.
• auto.py: Contains specialized functions for stealing credentials and session cookies from over 80 browser extensions, including Metamask, 1Password, NordPass, and various cryptocurrency wallets.
• api.py: Implements the C2 communication protocol using RC4 encryption over HTTP, with encryption keys sent in the packet structure and an MD5 checksum for data integrity.
• util.py: Manages file compression and decompression.

Notably, both the Python and Golang versions share nearly identical module structures and naming conventions, raising the suspicion that the same developers were responsible for both.

Among the key C2 commands are ‘qwer’ (collect system information), ‘asdf’ (file upload), ‘zxcv’ (file download), and several others that allow remote control and data exfiltration.

Protections and Detection

Cisco Talos has reported that, despite the sophistication of this campaign, only a small number of users, primarily in India have been affected to date.

Advanced endpoint protection solutions, firewalls, and network analytics tools can help detect and block these threats.

Security teams are advised to review logs for unusual executable downloads, monitor for outbound connections to suspected C2 servers, and apply the latest detection signatures from antivirus providers.

The incident highlights the ongoing evolution of North Korean cyber threats, as well as the importance of maintaining vigilant security practices, particularly for professionals in high-value sectors such as cryptocurrency and blockchain.

IOCs 

SHA256 

a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a - auto.py  
c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b - auto.py  
0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec - api.py 
8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a - api.py 
5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e - nvidia.py 
267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3 - nvidia.py 
7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32 - nvidia.py 
b7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5 - util.py 
fb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225 - util.py 
d029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd - command.py