Analysis Summary

North Korean threat actors continue to target victims on LinkedIn as part of a sophisticated social engineering campaign aimed at delivering malware, specifically the RustDoor backdoor.

A recent report highlighted an attack where a user was contacted by someone posing as a recruiter from a legitimate decentralized cryptocurrency exchange, STON.fi. The attackers attempt to infiltrate networks by using job offers or coding assignments as pretexts to deploy malware, aiming to target the financial and cryptocurrency sectors to generate revenue for the Democratic People's Republic of Korea (DPRK).

These attacks are highly tailored, focusing on employees of decentralized finance (DeFi) and cryptocurrency companies. North Korean threat actors often ask victims to run code or download applications on company-owned devices or to complete "pre-employment tests" using unfamiliar Node.js or PyPI packages. The U.S. FBI has issued warnings about such tactics, emphasizing the persistent nature of these campaigns and their evolving tools. One of the more recent attack chains involves luring victims into downloading a booby-trapped Visual Studio project as part of a coding challenge.

The Visual Studio project contains hidden bash commands that download two second-stage payloads: VisualStudioHelper and zsh_env. These payloads are linked to RustDoor, a macOS backdoor also referred to as Thiefbucket. The malware came to light in February 2024, when researchers reported targeting cryptocurrency firms. Notably, the discovery is the first time RustDoor has been attributed to North Korean actors, and the malware is unique in being written in Objective-C. RustDoor’s persistence mechanisms rely on cron jobs and modifications to the zshrc file to ensure the malware remains active on infected systems.

VisualStudioHelper also acts as an information stealer by prompting victims to enter their system password, disguising the prompt as a Visual Studio-related message to avoid detection. Both payloads, RustDoor and VisualStudioHelper, function as backdoors, communicating with two different command-and-control (C2) servers. These developments highlight the increasing sophistication of DPRK-backed actors, who are becoming more adept at targeting crypto companies through technical assignments and social engineering tactics.

Researchers stress the importance of employee awareness and training, particularly for developers, to be cautious about unsolicited requests to run software or execute code. The North Korean actors behind these campaigns are well-versed in English and thoroughly research their targets, making their social engineering attempts appear legitimate and difficult to detect.

Impact

• Sensitive Data Theft
• Cyber Espionage
• Financial Loss
• Cryptocurrency Theft

Indicators of Compromise

Domain Name

• taurihostmetrics.com
• juchesoviet48.com

IP

• 139.59.182.234
• 62.204.41.73
• 185.234.216.180

MD5

• d2da2dc24f73f66f3fbe62784262378b
• 457b0b1ab814a830ee2f658eb501face
• 701165265b73f90942b7000ba39cfe5c
• b728e72a6f3b1a1dbe35b2397338bcf8
• 8221da48890aaa5fa2e3a0455c2dce57
• 6448a1a2afa753a7842495c6a64111ea

SHA-256

• a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5
• 76f96a35b6f638eed779dc127f29a5b537ffc3bb7accc2c9bfab5a2120ea6bc9
• baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d
• 794e18d4b8c98174429230ca20f7b75b3a0b65345fc9112d3ff7df10d05c3b52
• 014c6298bfdcc06a4b21e7ff6a1c57cf78c922e0291b18b20cc74f04d892cce2
• e064158742c9a5f451e69b02e83eea9fb888623fafe34ff5b38036901d8419b4

SHA1

• 5ec7497107478f08ca5018bf659f9340880c059c
• a246db8fe1a4f385ed5e2eed5087a60fd2be6b5a
• 254aad39a432ff0df2ce35cc4ff3578afe1dc1df
• f669fba857401406db6b35958d5f57d9d8030f56
• f11ca6e92a3f2af3590021d1475a740e6246347e
• c401c8aafc28317828f6b648a3abf6e01d05efae

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Encourage users to regularly update their systems and install security patches to mitigate vulnerabilities that threat actors may exploit.
• Advocate for the implementation of multi-factor authentication wherever possible to add an extra layer of security, especially for sensitive applications like messaging and financial apps.
• Organizations should conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in their systems and networks.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization to secure its websites and software. Test tools are used to detect any vulnerabilities in the deployed codes.