Threat actors tied to North Korea have been increasingly using LinkedIn as a vector to target developers, leveraging fake job recruiting schemes. This new tactic is part of a broader campaign aimed at compromising systems in the Web3 sector, according to cybersecurity firm Mandiant, a subsidiary of Google.
These attacks often start with social engineering, where unsuspecting developers are lured through enticing job offers. A significant aspect of this strategy is the use of coding tests as the initial infection vector. After a conversation with the target, the attackers send a ZIP file containing the COVERTCATCH malware, disguised as a Python coding challenge, according to researchers Robert Wallace, Blas Kojusner, and Joseph Dobson from Mandiant.
How COVERTCATCH Works
COVERTCATCH is a sophisticated piece of malware designed to compromise macOS systems. Once executed, the malware acts as a launchpad for more malicious activity by downloading a second-stage payload. This payload ensures the attacker maintains persistent access to the system by utilizing macOS’s Launch Agents and Launch Daemons, a common technique for gaining elevated privileges and remaining undetected.
This latest campaign is part of a larger pattern of activity by North Korean hacking groups, including notable operations like “Operation Dream Job” and “Contagious Interview.” These operations have consistently used job-related decoys to infect victims with malware. In addition to COVERTCATCH, recruiting-themed lures have been employed to deliver other malware families, such as RustBucket and KANDYKORN.
The Social Engineering Campaign
Mandiant’s report highlights a sophisticated social engineering campaign where attackers impersonated recruiters to deliver malicious PDFs. In one case, the document was disguised as a job description for a “VP of Finance and Operations” at a well-known cryptocurrency exchange. When opened, the PDF dropped a second-stage malware called RustBucket, which serves as a backdoor for attackers.
RustBucket, written in the Rust programming language, is specifically designed for macOS. It allows the attackers to harvest basic system information, execute files, and communicate with a command-and-control (C2) server. The malware establishes persistence by using a Launch Agent that disguises itself as a “Safari Update.” This stealthy tactic ensures that RustBucket remains hidden while maintaining a connection to the C2 server for further exploitation.
Broader North Korean Campaigns
The latest campaign is not an isolated incident. North Korean threat actors have been actively targeting the Web3 and cryptocurrency sectors through various means, including software supply chain attacks. Previous incidents have involved targeting well-known companies like 3CX and JumpCloud.
These campaigns are typically designed to establish a foothold in a victim’s system through malware. Once inside, the attackers often pivot to password managers to steal credentials, perform internal reconnaissance on code repositories, and infiltrate cloud-hosting environments. In some cases, they manage to steal hot wallet keys, allowing them to drain funds from cryptocurrency accounts.
This pattern of activity aligns with North Korea’s broader strategy to use cyberattacks as a means of generating illicit income. The regime, which has been the subject of international sanctions, has increasingly turned to cryptocurrency heists as a way to fund its operations. These activities have drawn the attention of various law enforcement agencies, including the U.S. Federal Bureau of Investigation (FBI).
FBI Warnings and Social Engineering Tactics
The FBI has issued multiple warnings about North Korean threat actors’ targeting of the cryptocurrency industry. These threat actors use highly tailored social engineering campaigns that are difficult to detect. Often, they impersonate recruiting firms or individuals the victim may know, creating a sense of familiarity and trust.
The FBI has highlighted that North Korean hackers go to great lengths to build rapport with their targets. These attackers conduct extensive research on their targets, including identifying personal information, interests, professional affiliations, and even personal relationships. By referencing these details, they can create personalized fake scenarios that make their offers of employment or investment appear legitimate.
In many cases, once the attackers establish initial contact, they may spend weeks or even months engaging with their target. This extended interaction increases the likelihood that the victim will trust them and eventually fall for the scam, at which point malware like COVERTCATCH or RustBucket is deployed.
Targeting Cryptocurrency-Related Businesses
North Korea’s cyber operations are particularly focused on cryptocurrency-related businesses, including exchanges, developers, and investors. The lure of high-paying jobs in the growing cryptocurrency sector has made it easier for attackers to create believable fake job offers.
Once a victim engages with the attackers, the threat actors often try to move the conversation off LinkedIn or other professional platforms and onto more private communication channels. This is where the real danger begins, as the attackers can send malicious files disguised as coding challenges or job-related documents.
Conclusion
The increasing sophistication of North Korean cyber operations presents a significant threat to the cryptocurrency and Web3 sectors. By leveraging platforms like LinkedIn and employing social engineering tactics, these attackers are able to bypass traditional cybersecurity defenses and target individuals directly. The use of job-related lures, like fake coding challenges and job descriptions, makes these attacks even more dangerous, as they prey on individuals who may not suspect any foul play.
Organizations and individuals working in the cryptocurrency space should remain vigilant, particularly when receiving unsolicited job offers or requests for coding tests. It is essential to verify the authenticity of any such communications and be wary of downloading files from unknown or untrusted sources. As North Korean cyber actors continue to evolve their tactics, staying informed and adopting strong security practices will be key to preventing these types of attacks
