Attack Chain

1. Initial Contact: The attacker contacts a technology professional with a fake job opportunity, often advertised through LinkedIn or email.
2. Fake Company Profile: The attacker establishes credibility by creating a fake company profile on LinkedIn and/or GitHub.
3. Malicious Repository: The attacker creates a GitHub repository containing malicious code disguised as a software development project or crypto game (e.g., web3-social-platform).
4. ClickFix Delivery (PyLangGhost RAT): During a fake interview process, the attacker instructs the victim to perform a “fix” by running a command which downloads and executes a VBScript file.
5. VBScript Execution: The VBScript file (e.g., update.vbs, start.vbs) decompresses an archive (Lib.zip) containing library files and executes a renamed Python interpreter (csshost.exe) with a malicious Python script (nvidia.py).
6. BeaverTail Delivery (GitHub): The victim is convinced to clone the GitHub repository and execute commands like npm install and npm start. The index.js file retrieves the BeaverTail malware from a Base64-encoded URL hosted on Vercel.
7. Malware Execution: PyLangGhost RAT or BeaverTail malware executes on the victim’s system, enabling file exfiltration, arbitrary command execution, and system profiling.
8. Data Theft: The malware targets browser credentials, cookies, and cryptocurrency wallet data, leading to financial theft.

Impact

NICKEL ALLEY’s activities primarily target software developers and blockchain professionals. Successful attacks lead to the compromise of developer systems, theft of sensitive credentials, and exfiltration of cryptocurrency. The group’s persistent targeting of the technology sector highlights their continued focus on financial gain through cryptocurrency theft. Compromised systems can be used to further propagate attacks or to steal intellectual property.

Recommendation

• Monitor process creation events for the execution of wscript.exe launching VBScript files from the %TEMP% directory and followed by execution of renamed python.exe (csshost.exe) as described in the Attack Chain above. Deploy the Sigma rule Detect NICKEL ALLEY VBScript ClickFix to detect this activity.
• Inspect network connections from unusual processes (not browsers or standard networking tools) to newly registered domains or infrastructure providers like Vercel, using the Detect NICKEL ALLEY Outbound Connection Sigma rule.
• Block access to the IOC domains talentacq[.]pro, publicshare[.]org, and astrabytesyncs[.]com at the DNS resolver.
• Educate employees, especially those in software development, about social engineering tactics such as fake job opportunities and the ClickFix technique.