Cyber Defense Advisors

North Korean Hackers Target Cryptocurrency Users on LinkedIn with RustDoor Malware

Cybersecurity researchers are continuing to warn about North Korean threat actors’ attempts to target prospective victims on LinkedIn to deliver malware called RustDoor.

The latest advisory comes from Jamf Threat Labs, which said it spotted an attack attempt in which a user was contacted on the professional social network by claiming to be a recruiter for a legitimate decentralized cryptocurrency exchange (DEX) called STON.fi.

The malicious cyber activity is part of a multi-pronged campaign unleashed by cyber threat actors backed by the Democratic People’s Republic of Korea (DPRK) to infiltrate networks of interest under the pretext of conducting interviews or coding assignments.

The financial and cryptocurrency sectors are among the top targets for the state-sponsored adversaries seeking to generate illicit revenues and meet an ever-evolving set of objectives based on the regime’s interests.

These attacks manifest in the form of “highly tailored, difficult-to-detect social engineering campaigns” aimed at employees of decentralized finance (“DeFi”), cryptocurrency, and similar businesses, as recently highlighted by the U.S. Federal Bureau of Investigation (FBI) in an advisory.

One of the notable indicators of North Korean social engineering activity relates to requests to execute code or download applications on company-owned devices, or devices that have access to a company’s internal network.

Another aspect worth mentioning is that such attacks also involve “requests to conduct a ‘pre-employment test’ or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.”

Instances featuring such tactics have been extensively documented in recent weeks, underscoring a persistent evolution of the tools used in these campaigns against targets.

The latest attack chain detected by Jamf entails tricking the victim into downloading a booby-trapped Visual Studio project as part of a purported coding challenge that embeds within it bash commands to download two different second-stage payloads (“VisualStudioHelper” and “zsh_env”) with identical functionality.

This stage two malware is RustDoor, which the company is tracking as Thiefbucket. As of writing, none of the anti-malware engines have flagged the zipped coding test file as malicious. It was uploaded to the VirusTotal platform on August 7, 2024.

“The config files embedded within the two separate malware samples shows that the VisualStudioHelper will persist via cron while zsh_env will persist via the zshrc file,” researchers Jaron Bradley and Ferdous Saljooki said.

RustDoor, a macOS backdoor, was first documented by Bitdefender in February 2024 in connection with a malware campaign targeting cryptocurrency firms. A subsequent analysis by S2W uncovered a Golang variant dubbed GateDoor that’s meant for infecting Windows machines.

The findings from Jamf are significant, not only because they mark the first time the malware has been formally attributed to North Korean threat actors, but also for the fact that the malware is written in Objective-C.

VisualStudioHelper is also designed to act as an information stealer by harvesting files specified in the configuration, but only after prompting the user to enter their system password by masquerading it as though it’s originating from the Visual Studio app to avoid raising suspicion.

Both the payloads, however, operate as a backdoor and use two different servers for command-and-control (C2) communications.

“Threat actors continue to remain vigilant in finding new ways to pursue those in the crypto industry,” the researchers said. “It’s important to train your employees, including your developers, to be hesitant to trust those who connect on social media and ask users to run software of any type.

“These social engineering schemes performed by the DPRK come from those who are well-versed in English and enter the conversation having well researched their target.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.