Cybersecurity researchers continue to warn against attempts by North Korean malicious actors to target potential victims on LinkedIn to distribute malware called RustDoor.
North Korean Hackers and the Return of RustDoor
The latest alert comes from Jamf Threat Labs, which detected an attempted attack in which a user was contacted on the professional social network claiming to be a recruiter for a legitimate decentralized cryptocurrency exchange (DEX) called STON.fi.
This malicious cyber activity It is part of a multi-pronged campaign by threat actors backed by the Democratic People’s Republic of Korea (DPRK) to infiltrate networks of interest under the guise of conducting interviews or coding tasks.
The financial and cryptocurrency sectors are among the top targets of state-sponsored adversaries, seeking to generate illicit revenue and achieve an ever-evolving set of regime-interested goals.
These attacks manifest themselves in the form of “Highly personalized and hard-to-detect social engineering campaigns” aimed at employees of decentralized finance (“DeFi”), cryptocurrency and similar sectors, as recently highlighted in a US Federal Bureau of Investigation (FBI) advisory.
RustDoor Malware and Social Engineering
One of the notable indicators of North Korean social engineering activities involves requests to execute code or download applications on company-owned devices or devices that have access to a company’s internal network.
Another noteworthy aspect is that such attacks also include “requests to conduct a ‘pre-employment test’ or debugging exercise that involves running non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.”
Incidents involving such tactics have been widely documented in recent weeks, highlighting a continuous evolution of the tools used (including RustDoor itself) in these campaigns against the targets.
The latest attack chain detected by Jamf involves tricking the victim into downloading a rigged Visual Studio project as part of a supposed coding challenge, which embeds bash commands within it to download two different second-stage payloads (“VisualStudioHelper” and “zsh_env”) with identical functionality.
RustDoor is just phase 2 of a bigger project
This second-stage malware is RustDoor, which the company is tracking under the name Thiefbucket. At the time of writing, none of the anti-malware engines have flagged the compressed encoding test file as malicious. It was uploaded to the VirusTotal platform on August 7, 2024.
“The configuration files embedded in the two malware samples show that VisualStudioHelper will persist via cron while zsh_env will persist via the zshrc file“, said researchers Jaron Bradley and Ferdous Saljooki.
RustDoor, a backdoor for macOS, has been documented first released by Bitdefender in February 2024 in connection with a malware campaign targeting cryptocurrency firms. A subsequent analysis by S2W discovered a variant in Golang called GateDoor, designed to infect Windows machines.
Jamf’s findings are significant not only because they represent the first time that malware has been formally attributed to North Korean threat actors, but also because the malware is written in Objective-C.
VisualStudioHelper is also designed to act as an information stealer by harvesting files specified in the configuration, but only after tricking the user into entering their system password, pretending it comes from the Visual Studio app to avoid raising suspicion.
Both payloads, however, operate as backdoors and use two different servers for command and control (C2) communications.
“Cybercriminals continue to remain vigilant in finding new ways to target those working in the cryptocurrency industry.,” the researchers said. “It is important to train your employees, including developers, to be cautious when trusting anyone who connects on social media and asks users to run software of any kind..”
The researchers then concluded: “These social engineering schemes carried out by the DPRK come from people who are proficient in English and start the conversation after having studied their target well..”
#RustDoor #North #Koreans #Relaunch #Notorious #Malware