Beware: North Korean Hackers Target Crypto Professionals on LinkedIn with RustDoor Malware!

North Korean Threat Actors Target Cryptocurrency Users

Cybersecurity researchers are raising alarms about North Korean threat actors using LinkedIn as a platform to spread RustDoor malware. The recent advisory from Jamf Threat Labs highlights an attack where a user was approached by someone posing as a recruiter for a legitimate decentralized cryptocurrency exchange, STON.fi.

Multi-Pronged Campaign

This activity is part of a broader campaign by actors backed by the Democratic People's Republic of Korea (DPRK), targeting networks of interest under the guise of conducting interviews or coding assignments. The financial and cryptocurrency sectors are prime targets for these state-sponsored adversaries, seeking to generate illicit revenues.

Sophisticated Social Engineering Tactics

These attacks employ highly tailored social engineering campaigns aimed at employees in decentralized finance (DeFi) and cryptocurrency sectors. The FBI has also issued warnings about these tactics, which often involve requests for executing code or downloading apps on company devices.

RustDoor Malware Analysis

The latest attack chain involves tricking victims into downloading a malicious Visual Studio project as part of a supposed coding challenge. This project contains bash commands to download two second-stage payloads: VisualStudioHelper and zsh_env, both with similar functionalities. The malware, RustDoor, is a macOS backdoor first identified in early 2024.

Conclusion

Researchers emphasize the importance of training employees, especially developers, to be cautious about unsolicited connections on social media and requests to run software. The DPRK's social engineering schemes are executed by individuals proficient in English, who meticulously research their targets before initiating contact.