North Korean Hackers Use LinkedIn to Target Crypto Sector with RustDoor Malware

Cybersecurity researchers have issued warnings about North Korean threat actors using LinkedIn to deliver malware, specifically RustDoor, to unsuspecting victims. The latest alert comes from Jamf Threat Labs, which uncovered an attack where a LinkedIn user was contacted by someone posing as a recruiter for STON.fi, a legitimate decentralized cryptocurrency exchange (DEX).

This activity is part of a larger, coordinated campaign by state-backed hackers from the Democratic People’s Republic of Korea (DPRK). These hackers aim to infiltrate the networks of organizations, often under the guise of conducting interviews or technical assessments. Their primary targets are the financial and cryptocurrency sectors, which North Korean actors exploit to generate illicit revenue and achieve regime-driven objectives.

The attackers employ sophisticated, hard-to-detect social engineering techniques. These campaigns, particularly those aimed at employees within decentralized finance (DeFi) and cryptocurrency firms, have been noted in recent advisories by the U.S. Federal Bureau of Investigation (FBI). One typical tactic involves requesting victims to execute code or download applications on devices with access to internal company networks.

In many cases, attackers ask targets to complete "pre-employment tests" or debugging tasks involving non-standard or suspicious Node.js or PyPI packages, scripts, or GitHub repositories. Recent documentation shows that such attacks have been evolving, using increasingly advanced tools.

The latest attack identified by Jamf involved tricking a victim into downloading a booby-trapped Visual Studio project disguised as part of a coding challenge. This project embedded bash commands that download two second-stage payloads, "VisualStudioHelper" and "zsh_env," which have identical functions. Both malware samples—collectively known as RustDoor (tracked by Jamf as Thiefbucket)—are designed to persist on the victim’s machine through different methods.

The malicious code attempts to maintain persistence through cron jobs for VisualStudioHelper, while zsh_env does so via the zshrc file. RustDoor, a macOS backdoor first detected by Bitdefender in February 2024, has now been formally linked to North Korean hackers for the first time by Jamf. It has also been identified in a Golang variant, known as GateDoor, which is used to target Windows systems.

The malware is notable for being written in Objective-C and acts as both a backdoor and an information stealer. VisualStudioHelper attempts to harvest specified files from the victim's system, prompting the user to enter their system password by mimicking a request from the Visual Studio app to avoid suspicion.

Both payloads establish command-and-control (C2) communications with two different servers, allowing the attackers to control infected devices remotely.

Jamf’s discovery is significant not only because it identifies RustDoor as a North Korean tool but also due to the evolving sophistication of these attacks. The researchers stressed the importance of training employees, particularly developers, to be cautious of unsolicited contacts on social media, especially when asked to run or download unfamiliar software.

“Threat actors are continually adapting to find new ways to target the cryptocurrency industry,” researchers Jaron Bradley and Ferdous Saljooki said. “It's crucial to ensure employees remain skeptical of those who reach out via social media and ask them to execute software of any kind. These DPRK social engineering campaigns are led by actors fluent in English and are well-researched on their targets.”


Similar Articles
Image Description
cyber security Top Cyber Scams Affecting Kids and Youth: A Growing Concern in 2024

The gaming industry is booming, and with it comes a host of scams targeting young gamers. Fake in-game currency offers, cheat codes, or hacks ...

  • By DragonX Team

  • Updated Sep 10, 2024

Cybersecurity researchers have issued warnings about North Korean threat actors using LinkedIn to deliver malware, specifically RustDoor, to unsuspecting victims. The latest alert comes from Jamf Threat Labs, which uncovered an attack where a LinkedIn user was contacted by someone posing as a recruiter for STON.fi, a legitimate decentralized cryptocurrency exchange (DEX).

This activity is part of a larger, coordinated campaign by state-backed hackers from the Democratic People’s Republic of Korea (DPRK). These hackers aim to infiltrate the networks of organizations, often under the guise of conducting interviews or technical assessments. Their primary targets are the financial and cryptocurrency sectors, which North Korean actors exploit to generate illicit revenue and achieve regime-driven objectives.

The attackers employ sophisticated, hard-to-detect social engineering techniques. These campaigns, particularly those aimed at employees within decentralized finance (DeFi) and cryptocurrency firms, have been noted in recent advisories by the U.S. Federal Bureau of Investigation (FBI). One typical tactic involves requesting victims to execute code or download applications on devices with access to internal company networks.

In many cases, attackers ask targets to complete "pre-employment tests" or debugging tasks involving non-standard or suspicious Node.js or PyPI packages, scripts, or GitHub repositories. Recent documentation shows that such attacks have been evolving, using increasingly advanced tools.

The latest attack identified by Jamf involved tricking a victim into downloading a booby-trapped Visual Studio project disguised as part of a coding challenge. This project embedded bash commands that download two second-stage payloads, "VisualStudioHelper" and "zsh_env," which have identical functions. Both malware samples—collectively known as RustDoor (tracked by Jamf as Thiefbucket)—are designed to persist on the victim’s machine through different methods.

The malicious code attempts to maintain persistence through cron jobs for VisualStudioHelper, while zsh_env does so via the zshrc file. RustDoor, a macOS backdoor first detected by Bitdefender in February 2024, has now been formally linked to North Korean hackers for the first time by Jamf. It has also been identified in a Golang variant, known as GateDoor, which is used to target Windows systems.

The malware is notable for being written in Objective-C and acts as both a backdoor and an information stealer. VisualStudioHelper attempts to harvest specified files from the victim's system, prompting the user to enter their system password by mimicking a request from the Visual Studio app to avoid suspicion.

Both payloads establish command-and-control (C2) communications with two different servers, allowing the attackers to control infected devices remotely.

Jamf’s discovery is significant not only because it identifies RustDoor as a North Korean tool but also due to the evolving sophistication of these attacks. The researchers stressed the importance of training employees, particularly developers, to be cautious of unsolicited contacts on social media, especially when asked to run or download unfamiliar software.

“Threat actors are continually adapting to find new ways to target the cryptocurrency industry,” researchers Jaron Bradley and Ferdous Saljooki said. “It's crucial to ensure employees remain skeptical of those who reach out via social media and ask them to execute software of any kind. These DPRK social engineering campaigns are led by actors fluent in English and are well-researched on their targets.”


Similar Articles
Image Description
Malware Massive Campaign Targets Exposed Git Configurations to Steal Credentials and Clone Repositories

Learn how a large-scale campaign exploits exposed Git configurations to steal credentials and clone repositories. Understand the risks, tacti ...

  • By DragonX Team

  • Updated Nov 09, 2024

Cybercrime

Cybersecurity researchers have issued warnings about North Korean threat actors using LinkedIn to deliver malware, specifically RustDoor, to unsuspecting victims. The latest alert comes from Jamf Threat Labs, which uncovered an attack where a LinkedIn user was contacted by someone posing as a recruiter for STON.fi, a legitimate decentralized cryptocurrency exchange (DEX).

This activity is part of a larger, coordinated campaign by state-backed hackers from the Democratic People’s Republic of Korea (DPRK). These hackers aim to infiltrate the networks of organizations, often under the guise of conducting interviews or technical assessments. Their primary targets are the financial and cryptocurrency sectors, which North Korean actors exploit to generate illicit revenue and achieve regime-driven objectives.

The attackers employ sophisticated, hard-to-detect social engineering techniques. These campaigns, particularly those aimed at employees within decentralized finance (DeFi) and cryptocurrency firms, have been noted in recent advisories by the U.S. Federal Bureau of Investigation (FBI). One typical tactic involves requesting victims to execute code or download applications on devices with access to internal company networks.

In many cases, attackers ask targets to complete "pre-employment tests" or debugging tasks involving non-standard or suspicious Node.js or PyPI packages, scripts, or GitHub repositories. Recent documentation shows that such attacks have been evolving, using increasingly advanced tools.

The latest attack identified by Jamf involved tricking a victim into downloading a booby-trapped Visual Studio project disguised as part of a coding challenge. This project embedded bash commands that download two second-stage payloads, "VisualStudioHelper" and "zsh_env," which have identical functions. Both malware samples—collectively known as RustDoor (tracked by Jamf as Thiefbucket)—are designed to persist on the victim’s machine through different methods.

The malicious code attempts to maintain persistence through cron jobs for VisualStudioHelper, while zsh_env does so via the zshrc file. RustDoor, a macOS backdoor first detected by Bitdefender in February 2024, has now been formally linked to North Korean hackers for the first time by Jamf. It has also been identified in a Golang variant, known as GateDoor, which is used to target Windows systems.

The malware is notable for being written in Objective-C and acts as both a backdoor and an information stealer. VisualStudioHelper attempts to harvest specified files from the victim's system, prompting the user to enter their system password by mimicking a request from the Visual Studio app to avoid suspicion.

Both payloads establish command-and-control (C2) communications with two different servers, allowing the attackers to control infected devices remotely.

Jamf’s discovery is significant not only because it identifies RustDoor as a North Korean tool but also due to the evolving sophistication of these attacks. The researchers stressed the importance of training employees, particularly developers, to be cautious of unsolicited contacts on social media, especially when asked to run or download unfamiliar software.

“Threat actors are continually adapting to find new ways to target the cryptocurrency industry,” researchers Jaron Bradley and Ferdous Saljooki said. “It's crucial to ensure employees remain skeptical of those who reach out via social media and ask them to execute software of any kind. These DPRK social engineering campaigns are led by actors fluent in English and are well-researched on their targets.”


Similar Articles
Image Description
Cybercrime Severe Zero-Click Remote Code Execution Vulnerability Affects Microsoft Outlook Applications

The zero-click RCE vulnerability in Microsoft Outlook poses a serious threat as it can allow attackers to execute arbitrary code remotely. Th ...

  • By DragonX Team

  • Updated Jul 15, 2024

Cyber Attack

Cybersecurity researchers have issued warnings about North Korean threat actors using LinkedIn to deliver malware, specifically RustDoor, to unsuspecting victims. The latest alert comes from Jamf Threat Labs, which uncovered an attack where a LinkedIn user was contacted by someone posing as a recruiter for STON.fi, a legitimate decentralized cryptocurrency exchange (DEX).

This activity is part of a larger, coordinated campaign by state-backed hackers from the Democratic People’s Republic of Korea (DPRK). These hackers aim to infiltrate the networks of organizations, often under the guise of conducting interviews or technical assessments. Their primary targets are the financial and cryptocurrency sectors, which North Korean actors exploit to generate illicit revenue and achieve regime-driven objectives.

The attackers employ sophisticated, hard-to-detect social engineering techniques. These campaigns, particularly those aimed at employees within decentralized finance (DeFi) and cryptocurrency firms, have been noted in recent advisories by the U.S. Federal Bureau of Investigation (FBI). One typical tactic involves requesting victims to execute code or download applications on devices with access to internal company networks.

In many cases, attackers ask targets to complete "pre-employment tests" or debugging tasks involving non-standard or suspicious Node.js or PyPI packages, scripts, or GitHub repositories. Recent documentation shows that such attacks have been evolving, using increasingly advanced tools.

The latest attack identified by Jamf involved tricking a victim into downloading a booby-trapped Visual Studio project disguised as part of a coding challenge. This project embedded bash commands that download two second-stage payloads, "VisualStudioHelper" and "zsh_env," which have identical functions. Both malware samples—collectively known as RustDoor (tracked by Jamf as Thiefbucket)—are designed to persist on the victim’s machine through different methods.

The malicious code attempts to maintain persistence through cron jobs for VisualStudioHelper, while zsh_env does so via the zshrc file. RustDoor, a macOS backdoor first detected by Bitdefender in February 2024, has now been formally linked to North Korean hackers for the first time by Jamf. It has also been identified in a Golang variant, known as GateDoor, which is used to target Windows systems.

The malware is notable for being written in Objective-C and acts as both a backdoor and an information stealer. VisualStudioHelper attempts to harvest specified files from the victim's system, prompting the user to enter their system password by mimicking a request from the Visual Studio app to avoid suspicion.

Both payloads establish command-and-control (C2) communications with two different servers, allowing the attackers to control infected devices remotely.

Jamf’s discovery is significant not only because it identifies RustDoor as a North Korean tool but also due to the evolving sophistication of these attacks. The researchers stressed the importance of training employees, particularly developers, to be cautious of unsolicited contacts on social media, especially when asked to run or download unfamiliar software.

“Threat actors are continually adapting to find new ways to target the cryptocurrency industry,” researchers Jaron Bradley and Ferdous Saljooki said. “It's crucial to ensure employees remain skeptical of those who reach out via social media and ask them to execute software of any kind. These DPRK social engineering campaigns are led by actors fluent in English and are well-researched on their targets.”


Similar Articles
Image Description
Cyber Attack BlackByte Ransomware Leverages VMware ESXi Vulnerability in New Attack Wave

BlackByte ransomware is known for its ability to quickly spread across networks, encrypting files and demanding payment for decryption keys. ...

  • By DragonX Team

  • Updated Aug 28, 2024



Latest News and Updates

Latest News

  • Android's New Identity Check Feature Locks Device Settings Outside Trusted Locations

    1

    Posted Date Jan 25, 2025

    Android's New Identity...

    Google has launched a new...
  • DoJ Indicts 5 Individuals for $866K North Korean IT Worker Scheme Violations

    2

    Posted Date Jan 25, 2025

    DoJ Indicts 5...

    The U.S. Department of Justice...
  • RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations

    3

    Posted Date Jan 25, 2025

    RANsacked: Over 100...

    A group of academics has...
  • Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks

    4

    Posted Date Jan 24, 2025

    Beware: Fake CAPTCHA...

    Cybersecurity researchers are calling attention...
  • Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits

    5

    Posted Date Jan 24, 2025

    Palo Alto Firewalls...

    An exhaustive evaluation of three...
X
DragonX Cookie Policy

At DragonX, we employ cookies on our website to enhance the site, providing the best service and customer experience possible

Category

Necessary (Always active)

These cookies enable essential site features like secure log-in and consent preference adjustments, without storing any personally identifiable data

Functional

This category aids in specific functions such as sharing website content on social media platforms, receiving feedback, and incorporating third-party features

Analytics

Analytical cookies are utilized to comprehend visitor interactions on the website, offering insights into metrics like visitor numbers, bounce rates, and traffic sources

Performance

These cookies help in understanding and analyzing important performance indicators of the website to enhance the user experience

Advertisement

Tailored advertisements are provided to visitors based on previously visited pages, while also evaluating the effectiveness of ad campaigns