RustDoor targets crypto firms w/ fake jobs

Feb 19 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that wonders whether banning phones at school in the UK will be the source of many a hacking villain origin story ????????????

Today’s hottest cybersecurity news stories:

  • ???? Mac users beware! RustDoor targets crypto firms w/ fake jobs ????

  • ???? Amazon Web Services struck by bulk smishing attacks via SNS ????

  • ???? FBI most wanted hacker behind Zeus, IcedID malware pleads guilty ⚖️

Hackers: Don’t call us. We’ll call you ????????????


???? Cryptocurrency Sector Targeted by RustDoor macOS Malware ????

A wave of cyber threats has hit multiple companies in the cryptocurrency industry, with a newly discovered macOS backdoor named RustDoor at the centre of the storm. ????️

Unveiled by Bitdefender, RustDoor operates as a Rust-based malware capable of stealing and uploading files, along with harvesting machine information. It cunningly disguises itself as a Visual Studio update to infiltrate systems. ????️

The attack unfolds with first-stage downloaders masquerading as job offer PDFs. Once opened, these scripts fetch and execute the malware while presenting a decoy PDF to mask their malicious activities. ????

Bitdefender’s investigation uncovered additional layers of the attack chain, revealing ZIP archives housing shell scripts responsible for fetching RustDoor from a designated website. Meanwhile, Golang-based binaries communicate with a command-and-control domain, extracting detailed system information and victim data. ????

Interestingly, the attack targets senior engineering staff, with victims predominantly located in Hong Kong and Lagos, Nigeria. This strategic focus suggests a well-thought-out campaign aimed at high-value targets. ????

The rise of such sophisticated threats coincides with revelations from South Korea’s National Intelligence Service, implicating a North Korean-affiliated IT organisation in a malware-as-a-service operation.

This underscores the global nature of cyber threats and the importance of robust cybersecurity measures. ????????️


Signup for Free


Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

It’s your classic smish and grab attack ????????????

???? SNS Sender: The AWS-Supported Smishing Tool ????

A dangerous trend has emerged with the rise of a malicious Python script dubbed SNS Sender, which capitalises on Amazon Web Services (AWS) Simple Notification Service (SNS) to orchestrate bulk smishing attacks. ????

Attributed to a threat actor named ARDUINO_DAS, this tool enables threat actors to dispatch SMS phishing messages, often posing as messages from the United States Postal Service (USPS) regarding missed package deliveries. These deceptive texts harbor malicious links aimed at pilfering victims’ personally identifiable information (PII) and financial details. ????

What sets SNS Sender apart is its unique approach of leveraging AWS SNS for SMS spamming, a first observed in the wild. The tool operates by necessitating a set of prerequisites including a list of phishing links, AWS access keys, target phone numbers, sender IDs, and message content. Notably, the requirement for sender IDs varies across countries, suggesting the tool’s origin from a region where sender IDs are customary. ????

Evidence suggests that this operation has been active since at least July 2022, as indicated by bank logs referencing ARDUINO_DAS shared on carding forums. The phishing kits associated with this campaign predominantly impersonate USPS, directing victims to counterfeit package tracking pages soliciting personal and financial information. ????

Moreover, the emergence of SNS Sender reflects the persistent efforts of commodity threat actors to exploit cloud environments for their nefarious campaigns. Past incidents have highlighted similar exploitation of AWS access keys to infiltrate servers and execute SMS campaigns via SNS. ????️

In a broader context, the cybersecurity landscape continues to witness innovation in tactics employed by threat actors. Recent examples include the utilisation of advertising networks and legitimate platforms like Discord to propagate malware, underscoring the need for robust defence measures and heightened vigilance. ????

???? Catch of the Day!! ????????????

???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can’t get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)

???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)

???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)

Oh how the mighty have fallen ???? Better put that banking trojan on Ice, bro ????

???? Ukrainian Cybercriminal’s Guilty Plea: Zeus and IcedID Schemes ????️

Vyacheslav Igorevich Penchukov, also known as Vyacheslav Igoravich Andreev, 37, has confessed to orchestrating two significant malware campaigns, Zeus and IcedID, spanning over a decade from May 2009 to February 2021. ????️‍♂️

Penchukov’s arrest by Swiss authorities in October 2022, followed by his extradition to the U.S. last year, culminated in his recent guilty plea.

He was previously listed on the FBI’s most-wanted roster since 2012. The U.S. Department of Justice (DoJ) labelled him as a leader of these two notorious malware factions, responsible for infecting countless computers worldwide, leading to substantial financial losses and ransomware incidents. ????

The Zeus banking trojan, one of his flagship creations, was instrumental in pilfering bank account details, passwords, and other sensitive information necessary for online banking access. Penchukov and his associates, under the guise of the Jabber Zeus gang, impersonated victims’ employees to initiate unauthorised fund transfers, routing the illicitly acquired funds through a network of “money mules” before funnelling them to offshore accounts. ????

Additionally, Penchukov’s involvement extended to the IcedID malware scheme, starting in November 2018. IcedID, also known as BokBot, functions as an information stealer and payload loader, facilitating further cyberattacks, including ransomware. Despite evading Ukrainian prosecution for years, attributed to political connections, Penchukov’s eventual extradition and subsequent admission of guilt to racketeering and wire fraud charges signify a significant victory for cybercrime justice. ⚖️

Meanwhile, in another development, the DoJ announced the extradition of Mark Sokolovsky, a 28-year-old Ukrainian national, from the Netherlands. Sokolovsky faces charges related to operating and advertising Raccoon, an infostealer, on a malware-as-a-service model. Raccoon, available since April 2019, was used in email phishing schemes to pilfer personal data, including login credentials and financial information, affecting millions of users worldwide. ????

These cases underscore the global effort to combat cybercrime, highlighting the ongoing battle against cybercriminals’ sophisticated tactics and the importance of international cooperation in apprehending and prosecuting offenders. ????

Keep up the good work, lads ???? The police, not the hackers! ???? Unit next time, folks.

????️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran ‘Wealthy Primate’ might be able to help you climb that tree ???????? with his stick and banana approach ????????

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles