Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
When a dream interview turns into a digital nightmare.
Cybersecurity researchers are warning of new attacks carried out by hackers from North Korea who use the LinkedIn platform to distribute malware called RustDoor. Experts from the Jamf Threat Labs reported that they had discovered a hacking attempt during which the attackers introduced themselves as recruiters of the decentralized cryptocurrency exchange STON.fi.
These attacks, as it turned out, are part of a broader campaign initiated by state hackers from the DPRK. They aim to infiltrate company networks under the pretense of conducting interviews or testing programming skills. The main targets are the financial and cryptocurrency sectors, where attackers seek to make quick illegal money and perform certain tasks in the interests of the North Korean regime.
Such attacks are characterized by a high degree of adaptation to the victim and difficulty in identifying. This is social engineering aimed at employees of companies in the field of decentralized finance, cryptocurrencies, and related areas.
One of the telltale signs of such attacks is requests to install programs or execute code on devices that have access to corporate networks. For example, attackers may offer to undergo "pre-testing" or perform debugging tasks using non-standard Node.js packages, PyPI, or GitHub repositories.
Recently, Jamf specialists recorded a hacking attempt, where the victim was offered to download a project for Visual Studio as part of a "test task". This project contained hidden commands that downloaded two malicious files - 'VisualStudioHelper' and 'zsh_env.' Both files performed the same functions by injecting second-stage malware, including RustDoor, also known as Thiefbucket.
Notably, the RustDoor malware, which targets macOS systems, was first spotted in February 2024 by Bitdefender in attacks on cryptocurrency firms. There is also a Windows version called GateDoor.
In addition, VisualStudioHelper works as a data stealing tool by asking the user for the system password, spoofing the interface of the Visual Studio program. Both malicious components use different C2 servers.
Experts emphasize the importance of training employees, especially developers, to prevent such attacks. North Korean attackers often have a good command of English and prepare carefully by studying their targets before launching an attack.
Source
Cybersecurity researchers are warning of new attacks carried out by hackers from North Korea who use the LinkedIn platform to distribute malware called RustDoor. Experts from the Jamf Threat Labs reported that they had discovered a hacking attempt during which the attackers introduced themselves as recruiters of the decentralized cryptocurrency exchange STON.fi.
These attacks, as it turned out, are part of a broader campaign initiated by state hackers from the DPRK. They aim to infiltrate company networks under the pretense of conducting interviews or testing programming skills. The main targets are the financial and cryptocurrency sectors, where attackers seek to make quick illegal money and perform certain tasks in the interests of the North Korean regime.
Such attacks are characterized by a high degree of adaptation to the victim and difficulty in identifying. This is social engineering aimed at employees of companies in the field of decentralized finance, cryptocurrencies, and related areas.
One of the telltale signs of such attacks is requests to install programs or execute code on devices that have access to corporate networks. For example, attackers may offer to undergo "pre-testing" or perform debugging tasks using non-standard Node.js packages, PyPI, or GitHub repositories.
Recently, Jamf specialists recorded a hacking attempt, where the victim was offered to download a project for Visual Studio as part of a "test task". This project contained hidden commands that downloaded two malicious files - 'VisualStudioHelper' and 'zsh_env.' Both files performed the same functions by injecting second-stage malware, including RustDoor, also known as Thiefbucket.
Notably, the RustDoor malware, which targets macOS systems, was first spotted in February 2024 by Bitdefender in attacks on cryptocurrency firms. There is also a Windows version called GateDoor.
In addition, VisualStudioHelper works as a data stealing tool by asking the user for the system password, spoofing the interface of the Visual Studio program. Both malicious components use different C2 servers.
Experts emphasize the importance of training employees, especially developers, to prevent such attacks. North Korean attackers often have a good command of English and prepare carefully by studying their targets before launching an attack.
Source
