Threat actors affiliated with North Korea are using LinkedIn to target developers through a fake job recruiting operation, according to a report issued by Google’s Mandiant.
These attacks involve coding tests as the primary method of infection, with researchers Robert Wallace, Blas Kojusner, and Joseph Dobson reporting that the phishing emails contained malware disguised as Python coding challenges.
The malware, known as COVERTCATCH, serves as a backdoor into the victim’s macOS system, allowing for the download of additional malware that establishes persistence on the system.
These attacks are part of a larger campaign by North Korean hacking groups, including Operation Dream Job and Contagious Interview, which use job-related lures to infect targets with malware such as RustBucket and KANDYKORN.
Additionally, Mandiant observed a social engineering campaign that delivered a malicious PDF disguised as a job description for a role at a cryptocurrency exchange, dropping the RustBucket backdoor.
The RustBucket backdoor is designed to collect system information, communicate with a command-and-control domain, and establish persistence using a disguised Launch Agent.
In addition to social engineering tactics, North Korea has also targeted Web3 organizations through software supply chain attacks, compromising systems to steal credentials and drain funds.
The FBI has issued warnings about North Korean threat actors targeting the cryptocurrency industry through sophisticated social engineering campaigns to carry out crypto heists.
These actors extensively research cryptocurrency businesses, personalize their attacks to increase success rates, and build rapport with victims to deliver malware.
By establishing a sense of legitimacy and trust, these actors aim to deceive victims and carry out their malicious activities.
