New RustDoor Malware Spreads Through Fake LinkedIn Job Offers
Cybersecurity researchers are raising the alarm about novel attacks perpetrated by North Korean hackers, who are exploiting the LinkedIn platform to disseminate malware known as RustDoor. Experts at Jamf Threat Labs have reported uncovering an attempted breach in which the perpetrators posed as recruiters for the decentralized cryptocurrency exchange STON.fi.
These attacks, it has been revealed, constitute a component of a broader campaign orchestrated by state-sponsored hackers from North Korea. Their objective is to infiltrate corporate networks under the guise of conducting interviews or assessing programming skills. The primary targets are the financial and cryptocurrency sectors, where the attackers seek rapid illicit gains and the accomplishment of specific tasks in the interests of the North Korean regime.
Such attacks are characterized by their high degree of victim-tailoring and their inherent difficulty of detection. This is social engineering aimed at employees of companies in the decentralized finance, cryptocurrency, and related fields.
A hallmark of these attacks is the request to install programs or execute code on devices with access to corporate networks. For instance, the attackers may propose a “preliminary test” or debugging tasks involving non-standard Node.js packages, PyPI, or GitHub repositories.
Recently, Jamf specialists observed an attempted breach where the victim was prompted to download a Visual Studio project as part of a “test assignment.” This project contained concealed commands that downloaded two malicious files: “VisualStudioHelper” and “zsh_env.” Both files served the same purpose, deploying second-stage malware, including RustDoor, also known as Thiefbucket.
Notably, the RustDoor malware, targeting macOS systems, was first documented in February 2024 by Bitdefender during attacks on cryptocurrency firms. A Windows variant, dubbed GateDoor, also exists.
Furthermore, VisualStudioHelper functions as a data theft tool, prompting the user for their system password by mimicking the Visual Studio interface. Both malicious components utilize distinct C2 servers.
Experts emphasize the importance of educating employees, particularly developers, to prevent such attacks. North Korean attackers often possess proficiency in English and engage in meticulous preparation, studying their targets before launching an attack.
