RustDoor and Koi Stealer Malware Attack macOS to Steal Login Credentials

A new wave of sophisticated cyberattacks targeting macOS systems has been identified, involving two malware strains, RustDoor and Koi Stealer.

These attacks, attributed to North Korea-linked Advanced Persistent Threat (APT) groups, primarily aim at stealing sensitive login credentials and cryptocurrency assets from software developers in the cryptocurrency industry.

Infection Vector and Social Engineering Tactics

The campaign, tracked as “Contagious Interview,” employs social engineering techniques where attackers pose as recruiters or potential employers.

Victims are lured into installing malicious software disguised as legitimate development tools, such as Visual Studio updates.

This method exploits the trust of job-seeking developers, leveraging email and messaging platforms to deliver the malware.

Malware Execution and Capabilities

The attack unfolds in multiple stages. Initially, RustDoor malware is deployed in various forms to establish persistence on the target system.

The malware attempts to execute two Mach-O binaries stored in hidden directories.

If blocked, attackers deploy additional RustDoor variants, including scripts designed to open reverse shell connections for remote access.

Koi Stealer, a previously undocumented macOS variant of an infostealer malware family, is introduced in later stages.

It masquerades as a legitimate Visual Studio update, tricking users into granting administrative access.

Once installed, Koi Stealer collects sensitive data such as usernames, passwords, hardware details, and cryptocurrency wallet information.

The stolen data is encrypted and exfiltrated to command-and-control (C2) servers.

Technical Analysis and Advanced Techniques

Both RustDoor and Koi Stealer demonstrate advanced evasion techniques to avoid detection:

• Data Exfiltration: Koi Stealer operates in two stages initial reconnaissance followed by targeted data collection. It focuses on browser credentials, cryptocurrency wallets, SSH keys, and application files from platforms like Discord and Telegram.
• AppleScript Usage: The malware employs AppleScript to mute system notifications during data theft operations, ensuring stealth.
• String Encryption: Koi Stealer decrypts its strings at runtime using XOR-based algorithms to conceal its functionality from security tools.
• Cross-Platform Similarities: The macOS version of Koi Stealer shares structural similarities with its Windows counterpart, including HTTP request formats and memory stream-based data transmission.

The infrastructure supporting this campaign includes domains and IPs linked to North Korean APT groups such as BlueNoroff (also known as Alluring Pisces).

The attackers’ focus on cryptocurrency developers aligns with previous North Korean cyber operations aimed at financial theft.

According to Palo Alto Networks Report, this campaign underscores the growing sophistication of macOS-targeted malware and the persistent threat posed by nation-state actors.

Organizations must adopt robust security measures, including behavioral threat detection tools like Cortex XDR, to mitigate risks.

Enhanced social engineering awareness among employees is also critical to countering such attacks.

For those potentially impacted by this campaign, immediate incident response is recommended to secure compromised systems and prevent further data loss.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free