COVERTCATCH Malware

North Korean threat actors have been found exploiting LinkedIn to target developers through fake job recruitment schemes. A key tactic involves using coding tests as the initial infection method. After engaging the target in a chat, the attacker sends a ZIP file disguised as a Python coding challenge, which actually contains the COVERTCATCH malware. Once executed, this malware initiates an attack on the target's macOS system, downloading a second-stage payload to establish persistence using Launch Agents and Launch Daemons.

North Korea Remains Major Cybercrime Player

However, this is just one example among various clusters of activity—such as Operation Dream Job and Contagious Interview—carried out by North Korean hacking groups using job-related lures to spread malware.

Recruitment-themed tactics have also been commonly used to deploy malware families like RustBucket and KANDYKORN. At this time, it's unclear if COVERTCATCH is related to these or the newly discovered TodoSwift.

Researchers have identified a social engineering campaign where a corrupt PDF was disguised as a job description for a 'VP of Finance and Operations' at a major cryptocurrency exchange. This PDF dropped a second-stage malware called RustBucket, a Rust-based backdoor that supports file execution.

The RustBucket implant can collect basic system information, communicate with a specified URL, and establish persistence through a Launch Agent that masquerades as a 'Safari Update,' enabling it to contact a hard-coded Command-and-Control (C2) domain.

North Korean Hacker Groups Continue to Evolve

North Korea's focus on Web3 organizations extends beyond social engineering to include software supply chain attacks, as demonstrated by recent incidents involving 3CX and JumpCloud. Once attackers establish access through malware, they move to password managers to collect credentials, conduct internal reconnaissance through code repositories and documentation, and infiltrate cloud hosting environments to uncover hot wallet keys and ultimately drain funds.

This revelation comes in conjunction with a warning issued by the U.S. Federal Bureau of Investigation (FBI) about North Korean threat actors targeting the cryptocurrency industry with highly specialized and hard-to-detect social engineering campaigns.

These ongoing efforts often involve impersonating recruiting firms or familiar individuals, offering employment or investment opportunities. Such tactics serve as a gateway for audacious crypto heists intended to generate illicit income for North Korea, which remains under international sanctions.

Threat Actors Use Personalized Tactics to Infect Targets

Key tactics used by these actors include:

• Targeting cryptocurrency-related businesses.
• Conducting thorough pre-operational research on their victims before making contact.
• Creating highly personalized fake scenarios to increase the likelihood of success.

They may reference personal details, such as interests, affiliations, events, relationships, or professional connections that the victim might think are known to only a few. This approach is designed to build rapport and ultimately deliver malware.

If they succeed in establishing communication, the initial actor or another team member may invest significant time interacting with the victim to enhance the appearance of legitimacy and foster a sense of familiarity and trust.