Threat actors linked to North Korea have been seen using LinkedIn as a way to target developers as part of a fake job recruitment operation.
These attacks use coding tests as a common initial infection vector, according to a new report by Google-owned Mandiant on the threats facing the Web3 sector.
“After the initial chat, the attacker sent a ZIP file containing the COVERTCATCH malware disguised as a Python coding problem,” said researchers Robert Wallace, Blas Kojusner and Joseph Dobson.
The malware functions as a launch pad to compromise a target’s macOS system by downloading a second-stage payload that provides persistence via Launch Agents and Launch Daemons.
It should be noted that this is one of many clusters of activity, namely Operation Dream Job, Contagious Interview, and others, conducted by North Korean hacking groups that use work-related lures to infect targets with malware.
Recruitment-themed lures have also been a common distribution tactic for malware families such as RustBucket and KANDYKORN.
Mandiant said it observed a social engineering company that delivered a malicious PDF disguised as a job description for a “Vice President of Finance and Operations” at a prominent cryptocurrency exchange.
“The PDF malware released a second-level malware known as RustBucket, which is a backdoor written in Rust that supports file execution.”
The RustBucket implant is equipped to collect basic system information, communicate with a URL provided via the command line, and configure security using a launch agent masquerading as “Safari Update” to contact a hard-coded command-and-control (C2) domain.
North Korea’s attacks on Web3 organizations also go beyond social engineering to attack software supply chains, as seen in incidents targeting 3CX and JumpCloud in recent years.
“Once a foothold is established with malware, attackers look to password managers to steal credentials, perform internal reconnaissance using code and documentation repositories, and move into cloud hosting environments to discover wallet hotkeys and ultimately drain funds “, said Mandiant.
The disclosure comes amid a warning by the US Federal Bureau of Investigation (FBI) that North Korean threat actors are targeting the cryptocurrency industry with “highly tailored, hard-to-detect social engineering campaigns.”
This ongoing effort, posing as recruitment firms or individuals the victim may know personally or indirectly, with offers of employment or investment, is seen as a conduit for brazen crypto theft designed to generate illicit income for the hermit kingdom, which has been the subject of international sanctions.
Tactics used include identifying interested cryptocurrency-related companies, conducting extensive pre-operational research on their targets before making contact, and crafting personalized fake scripts in an attempt to lure potential victims and increase the likelihood of their attacks being successful.
“Actors may refer to personal information, interests, affiliations, events, personal relationships, professional connections, or details that the victim believes few people know,” the FBI said, highlighting attempts to build relationships and ultimately deliver malware.
“If successful in establishing two-way contact, the original actor or other member of the acting team can spend a lot of time interacting with the victim to increase the sense of legitimacy and engender familiarity and trust.”
