North Korean threat actors are using LinkedIn to target developers through fraudulent job recruitment schemes.
These cyberattacks utilize coding assessments as a primary method for initial infiltration, as indicated in a recent report by Mandiant, a subsidiary of Google.
“Upon initiating a conversation, the attacker shared a ZIP file containing COVERTCATCH malware disguised as a Python coding challenge,” stated researchers Robert Wallace, Blas Kojusner, and Joseph Dobson.
The malware acts as a gateway to compromise the macOS system of the target by downloading a secondary payload to establish persistence using Launch Agents and Launch Daemons.
It is noteworthy that this is just one of several operation clusters, such as Operation Dream Job and Contagious Interview, executed by North Korean hacker groups to infect victims with malware through job-related disguises.
Deceptive offers related to job recruitment have also been widely used to distribute malware families like RustBucket and KANDYKORN.
Mandiant reported a social engineering effort that distributed a malicious PDF disguised as a job listing for a “VP of Finance and Operations” at a major cryptocurrency exchange.
“The malicious PDF introduced a secondary malware called RustBucket, which is a Rust-based backdoor supporting file execution capabilities.”
The RustBucket implant is capable of collecting basic system data, communicating with a URL specified via the command line, and establishing persistence through a Launch Agent masquerading as a “Safari Update” to communicate with a predetermined command-and-control (C2) domain.
North Korea’s targeting of Web3 entities extends beyond social engineering to include software supply chain attacks, as evidenced by incidents involving 3CX and JumpCloud in recent times.
“Once they gain a foothold through malware, the attackers turn to password management tools to pilfer credentials, conduct internal reconnaissance via code repositories and documentation, and navigate into the cloud hosting environment to access hot wallet keys and drain funds,” Mandiant mentioned.
This revelation coincides with a caution from the U.S. Federal Bureau of Investigation (FBI) regarding North Korean threat actors’ focus on the cryptocurrency sector through “sophisticated social engineering campaigns that are personalized, hard to detect, and highly targeted.”
These continuous attempts, where the threat actors impersonate recruitment agencies or individuals known to the victim, aim to facilitate brazen crypto thefts for financial gain, circumventing international sanctions imposed on the isolated nation.
Significant tactics include identifying cryptocurrency businesses of interest, thoroughly researching targets prior to engagement, and crafting personalized fake scenarios to manipulate potential victims, increasing the likelihood of attack success.
“The threat actors might mention personal details, interests, affiliations, relationships, or other information that the victim believes is known to only a few, in an effort to build rapport and eventually deliver malicious payloads,” highlighted the FBI.
“If successful in establishing communication, the initial actor, or another team member, could spend significant time engaging with the victim to enhance credibility, build trust, and eventually launch the attack.”
About Author
