North Korean-affiliated risk actors have been observed exploiting LinkedIn as a means to target professionals in a sophisticated phishing scheme disguised as a legitimate job recruitment operation.
Cybercriminals are leveraging coding exams as a primary entry point for attacks on the Web3 sector, according to a new report from Google-owned Mandiant, which highlights the growing threat landscape for this emerging industry.
Researchers Robert Wallace, Blas Kojusner, and Joseph Dobson noted that after an initial chat conversation, the attacker sent a ZIP file containing COVERTCATCH malware masquerading as a Python coding puzzle.
The malware leverages its capabilities as a springboard to infiltrate the target’s macOS system, allowing it to download a subsequent payload that secures persistent access through Launch Agents and Launch Daemons.
Notably, the regime’s cyber units have spearheaded a series of job-focused phishing exercises, including Operation Dream Job and Contagious Interview, which leverage employment-related lures to infect victims with malicious code.
Recruiters are increasingly leveraging job postings that masquerade as legitimate employment opportunities to distribute malicious payloads, including the notorious RustBucket and KANDYKORN malware strains.
According to Mandiant, a sophisticated social engineering scheme emerged, targeting the finance industry with a phishing email masquerading as a job posting for a “Vice President of Finance and Operations” at a prominent cryptocurrency exchange. The email attached a malicious PDF document posing as a job description.
The malicious PDF delivered a secondary payload known as RustBucket, a backdoor crafted in Rust that facilitates file execution.
The RustBucket implant provides primary system information gathering capabilities, interacting via a URL specified through the command-line interface and establishing persistence by masquerading as a “Safari Update” using a Launch Agent, ultimately connecting to a hard-coded command-and-control (C2) server.
North Korea’s focus on Web3 companies extends beyond social engineering tactics to include sophisticated software supply chain attacks, as seen in recent incidents targeting 3CX and JumpCloud.
“When attackers gain an initial foothold through malware, they rapidly shift their focus to compromising password managers, leveraging access to steal credentials, conduct internal reconnaissance by exploiting code repositories and documentation, and ultimately pivot into the cloud hosting environment to extract hot wallet keys and drain funds.”
The US government issues a warning alongside a critical disclosure. The Federal Bureau of Investigation has warned that North Korean threat actors are targeting the cryptocurrency market with “highly tailored, sophisticated social engineering attacks” designed to evade detection.
The ongoing efforts, masquerading as legitimate recruiting companies or individuals familiar to victims, offer fake job opportunities or investment schemes that serve as a front for brazen cryptocurrency heists, ultimately benefiting North Korea’s clandestine activities and circumventing international sanctions.
Cybercriminals often utilize tactics such as identifying cryptocurrency-related businesses of interest, conducting thorough pre-attack assessments on potential targets before establishing a connection, and crafting customized simulations to entice unsuspecting victims and increase the likelihood of successful attacks.
The FBI warned that cybercriminals may utilize intimate details about their targets’ personal lives, hobbies, affiliations, events, relationships, professional networks, or confidential information shared with only a select few, citing tactics employed to establish trust and ultimately deliver malicious software.
“If successful in establishing a bidirectional connection, the initial point of contact or another member of their team should invest significant time engaging with the individual to build credibility, foster familiarity, and cultivate trust.”
