North Korean Hackers Exploit LinkedIn to Target Cryptocurrency Users with RustDoor Malware
Jamf Threat Labs recently issued a new advisory, revealing a cyberattack attempt in which a user was approached on LinkedIn by someone posing as a recruiter for a legitimate decentralized cryptocurrency exchange (DEX) called STON.fi.
This attack is part of a larger, multi-faceted campaign orchestrated by cybercriminals backed by North Korea’s Democratic People’s Republic of Korea (DPRK). The strategy involves infiltrating targeted networks under the guise of conducting job interviews or coding assignments.
The financial and cryptocurrency sectors have become prime targets for these state-sponsored actors, who aim to generate illicit revenue and further the regime’s strategic goals. These attacks are characterized by “highly customized, hard-to-detect social engineering campaigns,” particularly targeting employees in decentralized finance (DeFi) and cryptocurrency firms. This was recently emphasized in a U.S. Federal Bureau of Investigation (FBI) advisory.
A common red flag in these campaigns is the request for victims to run code or download applications on company devices, or devices connected to a company’s internal network.
The most recent attack identified by Jamf involves deceiving the victim into downloading a malicious Visual Studio project disguised as part of a coding challenge. This project contains bash commands designed to download two second-stage payloads, named “VisualStudioHelper” and “zsh_env,” both serving the same purpose.
The second-stage malware, known as RustDoor and tracked by Jamf as Thiefbucket, remains undetected by antivirus software. The zipped coding test file, first uploaded to VirusTotal on August 7, 2024, has not been flagged as malicious by any anti-malware engines.
Researchers Jaron Bradley and Ferdous Saljooki noted that “the configuration files within the two malware samples reveal that VisualStudioHelper persists via cron, while zsh_env persists through the zshrc file.”
Blogger at www.systemtek.co.uk