Malware, Threat Intelligence

Fraudulent job lures leveraged in new North Korean hacking attacks

North Korean remote IT worker scam

North Korean threat actors have been utilizing fake job lures to facilitate malware distribution in separate attack campaigns against the Web3 sector, reports The Hacker News.

Developers have been subjected to intrusions involving the exploitation of LinkedIn to deliver a ZIP file purporting to be a Python coding challenge but contains the novel COVERTCATCH malware, according to an analysis from Google Cloud's Mandiant. COVERTCATCH achieves macOS system compromise through a second-stage payload that uses Launch Daemons and Launch Agents to ensure persistence. Another social engineering by North Korean hackers involved a PDF purporting to be a job description for a finance and operations vice president at a major cryptocurrency exchange, which enabled the distribution of the RUSTBUCKET payload to exfiltrate system information and execute files. "Once a foothold is established via malware, the attackers pivot to password managers to steal credentials, perform internal reconnaissance via code repos and documentation, and pivot into the cloud hosting environment to reveal hot wallet keys and eventually drain funds," said Mandiant.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds