North Korea Hackers Target Developers on LinkedIn for Malware Campaigns: Report

In a recent report, cybersecurity experts have uncovered a disturbing trend of North Korean threat actors using LinkedIn to target developers in a fake job recruiting scheme. The attackers, identified as part of North Korean hacking groups, are employing sophisticated tactics to infect their targets with malware.

The attacks begin with coding tests being used as a common initial infection vector. After engaging the victim in conversation, the attacker sends a ZIP file disguised as a Python coding challenge. Inside the file is the COVERTCATCH malware, which serves as a launchpad to compromise the target’s macOS system by downloading a second-stage payload.

This isn’t the first time North Korean hackers have used job-related decoys to deliver malware. The report highlights several other activity clusters, such as Operation Dream Job and Contagious Interview, that have been used to infect targets. Recruiting-themed lures have also been employed to distribute malware families like RustBucket and KANDYKORN.

The report also mentions a social engineering campaign where a malicious PDF, disguised as a job description for a cryptocurrency exchange, dropped the RustBucket malware. This backdoor implant is designed to harvest system information and communicate with a remote server controlled by the attackers.

As cybersecurity experts continue to monitor these activities, the FBI has issued a warning about North Korean threat actors targeting the cryptocurrency industry using highly tailored social engineering campaigns. These ongoing efforts are believed to be part of a larger scheme to generate illicit income for North Korea, who has been the subject of international sanctions.