North Korean threat actors have set their sights on developers by using LinkedIn as a front for fake job recruiting operations, according to Google-owned Mandiant. The attackers employ coding tests as a means to deliver malware to unsuspecting victims within the Web3 sector.”
The malicious activity, dubbed “Operation Dream Job,” involves sending a ZIP file containing COVERTCATCH malware disguised as a Python coding challenge after initial chat conversations with potential targets. Once executed, the malware downloads a second-stage payload to compromise the victim’s macOS system.
Furthermore, North Korean hackers have been using recruiting-themed lures to distribute malware families like RustBucket and KANDYKORN. The latest attacks involving COVERTCATCH and TodoSwift have shown a new level of sophistication in social engineering and malware delivery techniques.
Mandiant also uncovered a social engineering campaign that utilized a malicious PDF disguised as a job description at a cryptocurrency exchange to drop a RustBucket backdoor into the victim’s system.
Aside from social engineering tactics, North Korean hackers have also targeted Web3 organizations through software supply chain attacks, as evidenced by incidents involving 3CX and JumpCloud in recent years. These attacks pivot from malware infiltration to credential theft and crypto heists, demonstrating the relentless nature of these threat actors.
The FBI has issued warnings about North Korean threat actors using elaborate social engineering campaigns to target the cryptocurrency industry, emphasizing the need for vigilance and caution when dealing with unsolicited offers or communications.
The FBI highlights the personalized nature of these attacks, indicating that the threat actors invest time and effort in establishing a rapport with the victim before delivering malware. It underscores the importance of staying informed and cautious in light of these evolving threats.