North Korean threat actors have been using fake job lures to facilitate malware distribution in separate attack campaigns against the Web3 sector, The Hacker News reports.
Developers have been subjected to intrusions involving the exploitation of LinkedIn to deliver a ZIP file purporting to be a Python coding challenge but which instead contains the novel COVERTCATCH malware, according to an analysis from Google Cloud's Mandiant.
COVERTCATCH achieves macOS system compromise through a second-stage payload that uses Launch Daemons and Launch Agents to ensure persistence. Another social engineering by North Korean hackers involved a PDF purporting to be a job description for a finance and operations vice president at a major cryptocurrency exchange, which enabled the distribution of the RUSTBUCKET payload to exfiltrate system information and execute files.
"Once a foothold is established via malware, the attackers pivot to password managers to steal credentials, perform internal reconnaissance via code repos and documentation, and pivot into the cloud hosting environment to reveal hot wallet keys and eventually drain funds," said Mandiant.
