You are currently viewing North Korean Hackers Leverage LinkedIn to Deploy RustDoor Malware Against Crypto Community

North Korean Hackers Leverage LinkedIn to Deploy RustDoor Malware Against Crypto Community

Cybercriminals backed by North Korea are actively targeting cryptocurrency and DeFi businesses with sophisticated social engineering campaigns that leverage LinkedIn and deploy a previously undocumented macOS backdoor called RustDoor.

Highly Tailored Attacks: Researchers from Jamf Threat Labs recently identified an attack attempt where a crypto user was contacted on LinkedIn by someone claiming to be a recruiter for the legitimate decentralized exchange (DEX) STON.fi. This highlights the growing trend of highly personalized social engineering tactics used by North Korean threat actors, as previously warned by the FBI.

Red Flags and Indicators: These attacks often involve requests to execute code or download applications on company devices, participate in “pre-employment tests” involving unfamiliar scripts or packages, or perform debugging exercises with unknown software.

Evolving Tactics: The latest attack chain observed by Jamf involved sending a booby-trapped Visual Studio project as a supposed coding challenge. This project downloaded two second-stage payloads disguised as “VisualStudioHelper” and “zsh_env,” both of which deployed the RustDoor malware also known as Thiefbucket.

RustDoor: A Stealthy Backdoor: First documented in February 2024, RustDoor is a previously undocumented macOS backdoor written in Objective-C, targeting cryptocurrency firms. Significantly, this is the first time the malware has been linked to North Korean actors. A variant called GateDoor, written in Golang, is known to target Windows machines.

Information Theft and Persistence: The VisualStudioHelper payload functions as an information stealer, harvesting files specified in its configuration. It even attempts to steal the user’s system password by mimicking a request from Visual Studio itself. Both payloads operate as backdoors, communicating with separate command-and-control (C2) servers.

Protecting Yourself: These findings underscore the importance of cybersecurity awareness training for employees in the crypto industry, especially developers. Be cautious of social media connections requesting to run software, and thoroughly vet unfamiliar applications before downloading. North Korean actors are adept at crafting believable personas and conducting in-depth research on their targets.

Staying Vigilant: The cryptocurrency industry remains a lucrative target for cybercriminals. By staying informed about the latest threats and implementing robust security practices, crypto businesses can significantly reduce their risk of falling victim to these attacks.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. Summitsystemsissp assumes no liability for the accuracy or consequences of using this information.