North Korea’s Recruitment-Themed Cyberattacks for Spreading RustDoor Malware

Persistent threat activity orchestrated by the Democratic People's Republic of Korea (DPRK) is put into focus by the FBI and researchers from Jamf Threat Labs. North Korean actors are targeting individuals on networking platforms, predominantly LinkedIn, with the intention of distributing malware known as RustDoor (aka Thiefbucket). Jamf Threat Labs reinforces intelligence relayed in the FBI's public service announcement released on September 3, 2024. Jamf reports an incident where a user was approached on the professional networking platform by someone impersonating a recruiter from STON.fi, a legitimate decentralized cryptocurrency exchange. This strategy is part of a broader campaign by state-sponsored hackers from the Democratic People's Republic of Korea aiming to infiltrate networks under the pretense of job interviews or coding assignments. The financial and cryptocurrency industries are primary targets for these cyber adversaries, who seek to illicitly generate revenue and advance objectives aligned with their nation's interests. The attacks are marked by social engineering techniques designed to deceive employees of decentralized finance (DeFi) platforms, cryptocurrency firms, and similar businesses.

Analysis from Jamf researchers discovered threat activity aligning with the FBI-reported indicator of tactics which notes: "Requests to conduct a 'pre-employment test' or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories." These malicious campaigns involve requests for potential victims to execute code or download applications on devices connected to company networks. An indicator of a potentially fictitious account on LinkedIn is accounts with no followers. In the case reported by Jamf, the victim was deceived into downloading a tampered Visual Studio project file as part of a supposed coding challenge.

When the project's build process initiates, specific Bash commands are executed that are embedded within the project's csproj files. The commands perform multiple actions in sequence: First, they change the working directory to /Users/$USER/Library/. Next, they use curl to silently download a file named 'VisualStudioHelper' from a predetermined URL, ensuring the file retains its name with the -O option. These commands then modify the file's permissions using 'chmod +x', making it executable. To conceal the file from the user's view, 'chflags hidden' is employed. Finally, the script executes this now-hidden file. Similarly, a second payload named "zsh_env" is downloaded and executed in the user’s .config directory. Each payload is tailored for specific functions; "VisualStudioHelper" is designed to act as an infostealer and secures persistence through cron tasks, while "zsh_env" achieves persistence via modifications to the .zshrc file.

This secondary malware, identified as 'RustDoor', is a macOS backdoor previously documented in attacks targeting cryptocurrency companies. Jamf researchers note that "the two executables are nearly identical in functionality. What primarily sets them apart are their embedded configurations." Specifically, the method in which the two establish persistence: VisualStudioHelper will persist via cron while zsh_env will persist via the zshrc file, as detailed by Jamf researchers. The "VisualStudioHelper" component acts as an information stealer, collecting specified files after tricking the user into entering their system password by mimicking a legitimate prompt from the Visual Studio application. Jamf researchers stress the importance of educating employees to be wary of unsolicited contacts on social media platforms, especially those requesting the execution of software or code.