Cybersecurity researchers continue to warn of attempts by North Korean threat actors to direct potential victims to LinkedIn to deliver malware called RustDoor.
The latest advisory comes from Jamf Threat Labs, which said it discovered an attempted attack in which a user contacted a professional social network claiming to be a recruiter for a legitimate decentralized cryptocurrency exchange (DEX) called STON.fi.
The malicious cyber activity is part of a multi-pronged campaign by cyber threat actors supported by the Democratic People’s Republic of Korea (DPRK) to infiltrate networks of interest under the guise of conducting interviews or coding.
The financial and cryptocurrency sectors are among the prime targets for state-sponsored adversaries seeking to generate illicit revenue and achieve a range of goals based on regime interests.
These attacks take the form of “strictly individual social engineering campaigns that are difficult to detect” targeting employees of decentralized finance (“DeFi”), cryptocurrency and similar companies, as the US Federal Bureau of Investigation (FBI) recently highlighted in an advisory.
One notable indicator of North Korean social engineering activity involves requests to execute code or download applications on company-owned devices or devices that have access to the company’s internal network.
Another aspect worth mentioning is that such attacks also include “requests for ‘pre-employment testing’ or debugging exercises that involve the execution of non-standard or unknown Node.js packages, PyPI packages, scripts or repositories GitHub.”
There were cases of such tactics widely documented Art last weekshighlighting the constant evolution of the tools used in these campaigns against the targets.
The latest attack chain identified by Jamf is that the victim was tricked into downloading a mined Visual Studio project as part of a supposed coding challenge that embeds bash commands into it to download two different second-stage payloads (“VisualStudioHelper” and “zsh_env”) from the same functionality.
In the second stage, the malware is RustDoor, which the company tracks as Thiefbucket. At the time of writing, none of the malware protection mechanisms have marked with a flag test compression file as malicious. It was uploaded to the VirusTotal platform on August 7, 2024.
“Configuration files embedded in two separate malware samples indicate that VisualStudioHelper will be stored via cron and zsh_env will be stored via a zshrc file,” said researchers Jaran Bradley and Ferdous Saljuki.
RustDoor, a backdoor for macOS, was documented for the first time Bitdefender in February 2024 in connection with a malware campaign targeting cryptocurrency firms. Subsequent analysis by S2W revealed a duplicate Golang variant GateDoor which is designed to infect Windows machines.
Jamf’s findings are significant not only because they are the first time malware has been officially attributed to a North Korean threat actor, but also because the malware is written in Objective-C.
VisualStudioHelper is also designed to act as an information stealer, collecting files specified in the configuration, but only after the user is prompted for their system password, posing as if it came from Visual Studio to avoid suspicion.
However, both payloads operate as a backdoor and use two different servers for command and control (C2) communication.
“Threat actors remain vigilant in finding new ways to target those working in the crypto industry,” the researchers said. “It’s important to educate your employees, including developers, not to be hesitant to trust anyone who connects on social media and asks users to run any type of software.
“These social engineering schemes perpetrated by the DPRK come from those who speak English well and enter the conversation after well researching their target.”
