North Korean threat actors have been observed leveraging LinkedIn to target developers through fake job recruiting operations. These attacks employ coding tests as an initial infection vector, according to a new study by Google-owned Mandiant focused on threats faced by the Web3 sector. “After an initial chat conversation, the attacker sent a ZIP file containing COVERTCATCH malware disguised as a Python coding challenge,” researchers Robert Wallace, Blas Kojusner, and Joseph Dobson revealed.
The malware functions as a launchpad to compromise the target’s macOS system by downloading a second-stage payload that establishes persistence via Launch Agents and Launch Daemons. Recruitment-themed lures have been a prevalent tactic used by North Korean hacking groups to deliver various malware strains. Mandiant noted it had observed a social engineering campaign that delivered a malicious PDF disguised as a job description for a “VP of Finance and Operations” at a prominent cryptocurrency exchange.
This PDF dropped a second-stage malware known as RustBucket, a backdoor written in Rust designed to execute files, gather system information, and set up persistence using a Launch Agent disguised as a “Safari Update” to contact a hard-coded command-and-control (C2) domain.
FBI warns of digital espionage
North Korea’s targeting of Web3 organizations extends beyond social engineering to include software supply chain attacks.
“Once a foothold is established via malware, the attackers pivot to password managers to steal credentials, perform internal reconnaissance, and pivot into the cloud environment to access hot wallet keys and drain funds,” Mandiant reported. The disclosure comes amid a warning from the U.S. Federal Bureau of Investigation (FBI) about North Korean threat actors targeting the cryptocurrency industry with highly tailored, difficult-to-detect social engineering campaigns. These campaigns often impersonate recruiting firms or individuals known to the victims, offering employment or investment opportunities as conduits for crypto heists designed to generate illicit income for North Korea.
Notable tactics include identifying cryptocurrency-related businesses of interest, conducting extensive pre-operational research on targets, and creating personalized fake scenarios to appeal to prospective victims and increase the likelihood of their attacks’ success. The actors may reference personal information and professional connections to build rapport and eventually deliver malware,” the FBI noted. If successful, the actors may spend considerable time engaging with the victim to establish legitimacy and trust.
