North Korean Hackers Exploit LinkedIn Job Offers to Spread Malware

North Korean cybercriminals have been using LinkedIn to target developers through fake job recruitment schemes, according to a recent report. These attackers leverage LinkedIn’s job posting platform to lure victims, often developers in the Web3 sector, into a false sense of security by pretending to offer coding challenges as part of a job application process.

In one of these schemes, attackers initiate a chat conversation and eventually send a ZIP file that contains a malicious program called COVERTCATCH. Disguised as a Python coding challenge, this malware is designed to compromise the target’s macOS system by downloading a secondary payload that establishes persistence through Launch Agents and Launch Daemons.

This campaign is one of several North Korean cyber operations, including “Operation Dream Job” and “Contagious Interview,” that employ job-related baits to deliver malware. These tactics have also been used to distribute other malicious software, such as RustBucket and KANDYKORN. However, it remains unclear whether COVERTCATCH is linked to these malware strains or the newly identified TodoSwift.

The report also highlights a separate social engineering attack involving a malicious PDF that masqueraded as a job description for a “VP of Finance and Operations” at a well-known cryptocurrency exchange. The PDF delivered a second-stage malware, RustBucket, a backdoor written in Rust that can execute files, collect system data, and establish persistence by disguising itself as a “Safari Update.”

North Korean cyber actors have also expanded their focus to include software supply chain attacks, targeting companies like 3CX and JumpCloud. After gaining a foothold with their malware, these attackers often move on to steal credentials from password managers, explore internal code repositories and documentation, and infiltrate cloud-hosted environments to access cryptocurrency wallet keys and steal funds.

The U.S. Federal Bureau of Investigation (FBI) has issued warnings about these North Korean threat actors targeting the cryptocurrency industry through sophisticated and hard-to-detect social engineering methods.

These campaigns often involve impersonating recruiters or other trusted figures, offering employment or investment opportunities to unsuspecting victims. The ultimate aim is to carry out substantial cryptocurrency thefts to fund the North Korean regime, which faces international sanctions.

Notably, these attackers meticulously research their targets, such as businesses in the cryptocurrency sector, to tailor their approach. They craft highly personalized scenarios, referencing specific personal information, interests, and affiliations to build trust and rapport.

In many cases, an initial contact will be maintained over an extended period to establish legitimacy and foster a sense of familiarity with the victim.

To prevent falling victim to these kinds of cyberattacks, it’s essential to maintain vigilance when engaging with job offers online. Verify the legitimacy of recruiters and job postings through official channels, avoid downloading files from unknown sources, and utilize robust cybersecurity measures such as updated antivirus software and multi-factor authentication.