RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector
Contents
Executive Summary
Malware targeting macOS systems is increasingly pervasive in our current threat landscape. Most of the associated threats are cybercrime-related, ranging from information stealers to cryptocurrency mining. Over the past year, we have witnessed an increase in cybercrime activity linked to North Korean nation-state APT groups.
In line with the public service announcement issued by the FBI regarding North Korean social engineering attacks, we have also witnessed several such social engineering attempts, targeting job-seeking software developers in the cryptocurrency sector.
In this campaign, we discovered a Rust-based macOS malware nicknamed RustDoor masquerading as a legitimate software update, as well as a previously undocumented macOS variant of a malware family known as Koi Stealer. During our investigation, we observed rare evasion techniques, namely, manipulating components of macOS to remain under the radar.
The characteristics of these attackers are similar to various reports during the past year of North Korean threat actors targeting other job …
Malware targeting macOS systems is increasingly pervasive in our current threat landscape. Most of the associated threats are cybercrime-related, ranging from information stealers to cryptocurrency mining. Over the past year, we have witnessed an increase in cybercrime activity linked to North Korean nation-state APT groups.
In line with the public service announcement issued by the FBI regarding North Korean social engineering attacks, we have also witnessed several such social engineering attempts, targeting job-seeking software developers in the cryptocurrency sector.
In this campaign, we discovered a Rust-based macOS malware nicknamed RustDoor masquerading as a legitimate software update, as well as a previously undocumented macOS variant of a malware family known as Koi Stealer. During our investigation, we observed rare evasion techniques, namely, manipulating components of macOS to remain under the radar.
The characteristics of these attackers are similar to various reports during the past year of North Korean threat actors targeting other job …
IoC
http://5.255.101.148
https://visualstudiomacupdate.com
http://31.41.244.92
https://visualstudiomacupdate.com/tasks/upload_file
https://apple-ads-metric.com/back.sh
https://apple-ads-metric.com/sh.sh
https://apple-ads-metric.com
http://apple-ads-metric.com
https://apple-ads-metric.com/npm
5.255.101.148
31.41.244.92
[email protected]
b5412375477a180608bf410f5cb36b4a0949bee7663648a06879f42be9a3b6bc
a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5
8be62324fe5af009c12fb9afc8d4f47d12c98ea680bff490b3f5e0c72c8f9617
adde2970b40634e91b9ef8520f8e50eaa7901a65f9230e65d7995ac1a47700ef
17064520feaf5804aa725e123b24fd0f73f8afc9b7f4361650cd11ddf4ee768f
76f96a35b6f638eed779dc127f29a5b537ffc3bb7accc2c9bfab5a2120ea6bc9
b5119a49830a2044f406645c261e54ab335c9b1e1ed320df758405a8147fae88
c379f4ab29a49d4bccb232c8551d1b8b01e64440ea495bbabef9010a519516c3
77361f7ef25a0185636a0fc6deff2e9986720223da9d6b1494f671082105bebb
27fcc3278afbbec44737e9f72666946607fea819f5b1cb9fbbe268037a561f0b
baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d
97abafff549ea21797c135c965c5e4a46a44ec7353b2edd293e8a22d5954b6aa
8f0e2b8b3e07f5761066cb00bc0db10d68c56ada8c054e9f07990cc1ac5ae962
c42b103b42d7e9817f93cb66716b7bf2e4fe73a405e0fbbae0806ce8b248a304
2b8c057cf071bcd548d23bc7d73b4a90745e3ff22e5cddcc71fa34ecbf76a8b5
a5b7ddd12539ce3e8c08bed5855ddcea3217d41d7d4c58fcc1a7e01336b38912
https://visualstudiomacupdate.com
http://31.41.244.92
https://visualstudiomacupdate.com/tasks/upload_file
https://apple-ads-metric.com/back.sh
https://apple-ads-metric.com/sh.sh
https://apple-ads-metric.com
http://apple-ads-metric.com
https://apple-ads-metric.com/npm
5.255.101.148
31.41.244.92
[email protected]
b5412375477a180608bf410f5cb36b4a0949bee7663648a06879f42be9a3b6bc
a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5
8be62324fe5af009c12fb9afc8d4f47d12c98ea680bff490b3f5e0c72c8f9617
adde2970b40634e91b9ef8520f8e50eaa7901a65f9230e65d7995ac1a47700ef
17064520feaf5804aa725e123b24fd0f73f8afc9b7f4361650cd11ddf4ee768f
76f96a35b6f638eed779dc127f29a5b537ffc3bb7accc2c9bfab5a2120ea6bc9
b5119a49830a2044f406645c261e54ab335c9b1e1ed320df758405a8147fae88
c379f4ab29a49d4bccb232c8551d1b8b01e64440ea495bbabef9010a519516c3
77361f7ef25a0185636a0fc6deff2e9986720223da9d6b1494f671082105bebb
27fcc3278afbbec44737e9f72666946607fea819f5b1cb9fbbe268037a561f0b
baa676b671e771bf04b245e648f49516b338e1f49cbd9b4d237cc36d57ab858d
97abafff549ea21797c135c965c5e4a46a44ec7353b2edd293e8a22d5954b6aa
8f0e2b8b3e07f5761066cb00bc0db10d68c56ada8c054e9f07990cc1ac5ae962
c42b103b42d7e9817f93cb66716b7bf2e4fe73a405e0fbbae0806ce8b248a304
2b8c057cf071bcd548d23bc7d73b4a90745e3ff22e5cddcc71fa34ecbf76a8b5
a5b7ddd12539ce3e8c08bed5855ddcea3217d41d7d4c58fcc1a7e01336b38912