An infectious job interview might leave you without a job and your crypto say researchers, who have identified a new malware campaign targeting job seekers.
The new infectious malware targets macOS users, primarily developers seeking jobs in the tech industry. The newly identified campaign not only drains crypto wallets but also steals a handful of sensitive data, from Apple notes to Telegram data.
According to Unit42 researchers, a malware dubbed RustDoor and a previously undocumented variant of an info-stealing malware family known as Koi Stealer has been linked with a “moderate level of confidence” to advanced persistent threat (APT) groups backed by North Korean authorities. “This campaign highlights the risks organizations worldwide face from elaborate social engineering attacks,” the researchers said.
“These risks are magnified when the perpetrator is a nation-state threat actor, compared to a purely financially motivated cybercriminal.”
What crypto wallets are targeted by the Koi Stealer malware?
- Atomic
- BitPay
- Bitcoin
- Blockstream
- Coinomi
- Daedalus
- DashCore
- DigiByte
- Dogecoin
- ElectronCash
- Electrum
- Ethereum
- Exodus
- Guarda
- Jaxx
- Ledger
- Monero
- MyMonero
- Ravecoin
How does malware infect your system?
The attack begins with threat actors sending victims emails or contacting them via a messaging platform. By impersonating recruiters, they prompt the victims to install a software development program, such as Visual Studio, and conduct a trial task as part of the selection process.
While the victim works on the fake task within the downloaded software, the malware silently collects the Universally Unique Identifier (UUID) and information about the current user.
Then, users receive a request to enter a root password. This might not ring a bell, as the malware pretends to be legitimate software. If the victim falls for the trick, the malicious code is downloaded and executed on the device.
After claiming the key credentials, malware harvests multiple files of interest and sends them to the Command and Control (C2) server controlled by the threat actors.
What sensitive data does the malware steal?
- Browser files
- Filezilla files
- OpenVPN profile files
- Steam user and configuration files
- Cryptocurrency wallets
- Discord users and configuration files
- Telegram data files
- zsh history
- SSH configuration files
- Keychain files
- Apple Notes
- Safari files
In the documented attack, the Unit42 researchers noticed that the attackers first tried to execute several different variants of RustDoor malware. The malware attempted to steal sensitive data, such as passwords, from the LastPass Google Chrome extension.
When the security platform blocked the attempts, attackers unleashed a previously undocumented macOS Koi Stealer variant.
Threat actors preying on job seekers
Cybercrime activity linked to North Korean nation-state APT groups is on the rise. The currently discovered malicious attack by its methods aligns with numerous reports from the past year on North Korean threat actors preying on job seekers.
Attackers reportedly impersonate headhunters to approach victims on freelancing and job-hunting platforms such as LinkedIn, UpWork, and Freelancer.com.
The cybercriminals then send links to a repository like GitHub, GitLab, or Bitbucket, instructing victims to build and execute projects to test them, thus delivering BeaverTail and InvisibleFerret malware.
According to ESET researchers, the malware steals cryptocurrency for financial gain and conducts cyber espionage. Last year, the FBI alerted US citizens regarding sophisticated social engineering attacks involving North Korean threat actors targeting job seekers with malware.
Your email address will not be published. Required fields are markedmarked