North Korean Hackers Using Fake LinkedIn Job Offers

North Korean threat actors have been using LinkedIn to target developers through fake job recruiting schemes, as reported today by Hacker News. The attackers utilize coding tests as an initial method to infect victims, as highlighted in a report by Google-owned Mandiant.

North Korean recruiting-themed schemes have been widely used to deliver malware, including fake video conferencing apps, targeting job seekers on platforms such as LinkedIn and Upwork. After making initial contact, hackers guide victims to download malicious software via messaging apps like Telegram.

Mandiant’s researchers explained that recent crypto exchange heists are connected to a broader pattern of social engineering. In these schemes, developers are contacted under the pretense of job offers.

They showcase an example of an engineer who was sent a ZIP file containing malware disguised as a Python coding challenge, compromising the user’s macOS system with secondary malware. This malware persisted through macOS launch agents, further endangering the user’s system.

These tactics aren’t limited to developers. Finance professionals have also been targeted. In another incident, Mandiant observed a malicious PDF sent as part of a fake job offer for a senior position at a cryptocurrency exchange.

The PDF installed RUSTBUCKET, a backdoor malware that collects system data and runs files. It stayed active by posing as a “Safari Update” and connected to a command-and-control server.

According to the FBI, these types of cyberattacks are carefully planned. Hackers use personal information and build rapport with victims to make their schemes more convincing. Once contact is established, attackers may spend significant time engaging with their targets to foster trust.

To mitigate these risks, the FBI suggests verifying contact identities through different platforms, avoiding storing cryptocurrency wallet information on internet-connected devices, and using virtual machines for any pre-employment tests. They also recommend blocking unauthorized downloads and limiting access to sensitive information.

If you suspect your company has been targeted, the FBI advises disconnecting the affected devices from the internet and filing a detailed complaint with the FBI’s Internet Crime Complaint Center.