Cyber Defense Advisors

North Korean Threat Actors Deploy COVERTCATCH Malware via LinkedIn Job Scams

Threat actors affiliated with North Korea have been observed leveraging LinkedIn as a way to target developers as part of a fake job recruiting operation.

These attacks employ coding tests as a common initial infection vector, Google-owned Mandiant said in a new report about threats faced by the Web3 sector.

“After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge,” researchers Robert Wallace, Blas Kojusner, and Joseph Dobson said.

The malware functions as a launchpad to compromise the target’s macOS system by downloading a second-stage payload that establishes persistence via Launch Agents and Launch Daemons.

It’s worth pointing out that this is one of many activity clusters – namely Operation Dream Job, Contagious Interview, and others – undertaken by North Korean hacking groups that make use of job-related decoys to infect targets with malware.

Recruiting-themed lures have also been a prevalent tactic to deliver malware families such as RustBucket and KANDYKORN. It’s currently not clear if COVERTCATCH has any connection to these strains, or the newly identified TodoSwift.

Mandiant said it observed a social engineering campaign that delivered a malicious PDF disguised as a job description for a “VP of Finance and Operations” at a prominent cryptocurrency exchange.

“The malicious PDF dropped a second-stage malware known as RustBucket which is a backdoor written in Rust that supports file execution.”

The RustBucket implant is equipped to harvest basic system information, communicate with a URL provided via the command-line, and set up persistence using a Launch Agent that disguises itself as a “Safari Update” in order to contact a hard-coded command-and-control (C2) domain.

North Korea’s targeting of Web3 organizations also go beyond social engineering to encompass software supply chain attacks, as observed in the incidents aimed at 3CX and JumpCloud in recent years.

“Once a foothold is established via malware, the attackers pivot to password managers to steal credentials, perform internal reconnaissance via code repos and documentation, and pivot into the cloud hosting environment to reveal hot wallet keys and eventually drain funds,” Mandiant said.

The disclosure comes amid a warning from the U.S. Federal Bureau of Investigation (FBI) about North Korean threat actors’ targeting of the cryptocurrency industry using “highly tailored, difficult-to-detect social engineering campaigns.”

These ongoing efforts, which impersonate recruiting firms or individuals that a victim may know personally or indirectly with offers of employment or investment, are seen as a conduit for brazen crypto heists that are designed to generate illicit income for hermit kingdom, which has been the subject of international sanctions.

Notable among the tactics employed include identifying cryptocurrency-related businesses of interest, conducting extensive pre-operational research on their targets before initiating contact, and concocting personalized fake scenarios in an attempt to appeal to prospective victims and increase the likelihood of success of their attacks.

“The actors may reference personal information, interests, affiliations, events, personal relationships, professional connections, or details a victim may believe are known to few others,” the FBI said, highlighting attempts to build rapport and eventually deliver malware.

“If successful in establishing bidirectional contact, the initial actor, or another member of the actor’s team, may spend considerable time engaging with the victim to increase the sense of legitimacy and engender familiarity and trust.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.