- Slow Pisces targets crypto developers with bad code disguised as stock analysis tools
- Malicious code hides in plain sight, using GitHub projects and YAML deserialization tricks
- Victims unknowingly install RN Loader and RN Stealer through rigged Python repositories
A hacker group from North Korea known as Slow Pisces has launched a sophisticated campaign targeting developers in the cryptocurrency sector through LinkedIn.
The group, also known as TraderTraitor or Jade Sleet, poses as recruiters to lure victims with seemingly genuine job offers and coding challenges, only to infect their systems with malicious Python and JavaScript code.
Thanks to this campaign, the group has been able to steal substantial amounts of cryptocurrency. In 2023 alone, they were linked to over $1 billion in stolen funds. A $1.5 billion hack at a Dubai exchange and a $308 million theft from a Japanese company are among the recent attacks.
Coders beware!
After initially sending PDF documents containing job descriptions, the malicious actors follow up with coding assignments hosted on GitHub.
Although these repositories appear to be based on legitimate open-source projects, they have been secretly altered to include hidden malware.
Victims, believing they are completing programming tests, unintentionally allow malware like RN Loader and RN Stealer onto their systems.
These booby-trapped projects mimic legitimate developer tools and applications. For instance, Python repositories might seem to analyze stock market trends using data from reputable sources, while secretly communicating with attacker-controlled domains.
The malware evades most detection tools by using YAML deserialization, avoiding commonly flagged functions like eval or exec. Once triggered, the loader fetches and executes additional payloads directly in memory, making it difficult to detect or remove.
One such payload, RN Stealer, is specifically designed to exfiltrate credentials, cloud configuration files, and stored SSH keys, particularly from macOS systems.
JavaScript variants of the malware operate similarly, using the Embedded JavaScript templating engine to hide malicious code, which activates only for targeted victims based on factors like IP addresses or browser headers.
Forensic analysis shows that the malware stores code in hidden directories and communicates over HTTPS using custom tokens. However, investigators were unable to recover the full JavaScript payload.
GitHub and LinkedIn have responded by removing the malicious accounts and repositories involved.
“GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated technology, combined with teams of investigation experts and member reporting, to combat bad actors and enforce terms of service. We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity,” the companies said in a joint statement.
There is a growing need for caution when approached with remote job offers and coding tests. Developers are advised to use strong antivirus software and run unfamiliar code in secure environments, particularly when working in sensitive sectors like cryptocurrency.
Those concerned about security should verify they are using the best IDEs, which typically include integrated security features. Staying alert, and working on a secure, controlled setup, can significantly reduce the risk of falling prey to state-backed cyber threats.
Via Unit42
