Full Report
Koi Stealer and RustDoor malware were used in a campaign linked to North Korea. This activity targeted crypto wallet owners. The post RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector appeared first on Unit 42.
Analysis Summary
# Threat Actor: North Korea-Linked Threat Actor (Associated with APT activity)
## Attribution & Identity
**Identification:** Threat Actor linked to North Korean nation-state APT groups.
**Aliases/Associations:** Characteristics are similar to various reports of North Korean threat actors targeting job seekers over the past year. Attributed with moderate confidence to the North Korean regime.
## Activity Summary
The threat actor conducted a cybercrime campaign targeting job-seeking software developers within the cryptocurrency sector. This campaign utilized social engineering attempts, similar to those warned about by the FBI, to trick victims into downloading malware disguised as legitimate software updates. The campaign resulted in the deployment of two distinct malware variants: RustDoor and a macOS variant of Koi Stealer.
## Tactics, Techniques & Procedures
- Social engineering targeting job seekers.
- Delivery of malware masquerading as legitimate software updates.
- Use of a newly discovered Rust-based macOS malware (RustDoor).
- Deployment of a previously undocumented macOS variant of Koi Stealer.
- Employment of rare evasion techniques, specifically manipulating components of macOS to remain under the radar.
## Targeting
- **Sectors:** Cryptocurrency sector, specifically targeting software developers looking for jobs.
- **Geography:** Not explicitly mentioned, but the actor is North Korean-linked.
- **Victims:** Job-seeking software developers.
## Tools & Infrastructure
- **Malware families used:**
- RustDoor ($\text{Rust-based macOS malware}$)
- Koi Stealer ($\text{Undocumented macOS variant}$)
- **Infrastructure:** Not specified in detail (e.g., C2s, IPs, URLs were not provided in the context).
## Implications
The activity highlights an increasing trend of North Korean state-sponsored actors engaging in financially motivated cybercrime (cybercrime/NFT theft) by focusing on high-value technical talent in lucrative sectors like cryptocurrency. The use of novel Rust-based malware for macOS indicates a technical maturation in targeting non-Windows platforms.
## Mitigations
- Enhanced vigilance regarding software updates, especially those solicited through unsolicited employment or social engineering channels.
- Deploying and utilizing advanced endpoint security solutions capable of detecting novel malware on macOS environments (e.g., Cortex XDR/XSIAM).
- Implementing Advanced DNS Security and Advanced URL Filtering to prevent connections to malicious infrastructure.
- Security teams should be aware of social engineering tactics targeting employees or potential hires on job platforms.