North Korea-linked UNC1069 employs AI-generated videos, deepfakes, and sophisticated social engineering to target cryptocurrency firms, deploying multiple malware families to steal sensitive data and facilitate financial theft.
North Korea-linked threat actor UNC1069 has launched sophisticated attacks against cryptocurrency organizations using AI-generated content and deepfake technology to steal sensitive data and facilitate financial theft. The campaign, documented by Google Mandiant researchers, represents a significant evolution in the group's tactics, combining social engineering with advanced technical capabilities.
AI-Powered Social Engineering Campaign
The intrusion begins with a carefully crafted social engineering scheme that leverages compromised Telegram accounts and fake Zoom meetings. UNC1069 researchers Ross Inman and Adrian Hernandez revealed that the attack chain relies on multiple deception layers, including AI-generated video content designed to fool victims into believing they're participating in legitimate video calls.
UNC1069, also tracked as CryptoCore and MASAN, has been active since at least April 2018. The group has shifted its focus from traditional finance to the Web3 industry, targeting centralized exchanges, software developers at financial institutions, high-technology companies, and venture capital firms since 2023.
Multi-Stage Attack Vector
The attack follows a systematic approach:
Initial Contact: Victims are approached via Telegram, with attackers impersonating venture capitalists or using compromised accounts of legitimate entrepreneurs and startup founders
Meeting Setup: Calendly is used to schedule 30-minute meetings, with links redirecting victims to fake Zoom websites like "zoom.uswe05[.]us"
Deepfake Deception: Victims encounter a fake video call interface that mirrors Zoom, complete with prompts to enable cameras and enter names. The videos are either deepfakes or recordings from previous victims
ClickFix Exploitation: After a bogus error message about audio issues, victims are prompted to download and run ClickFix-style troubleshooting commands
Payload Delivery: Depending on the platform (Windows or macOS), different malware families are deployed to establish persistence and exfiltrate data
Sophisticated Malware Arsenal
UNC1069 deployed seven unique malware families in this campaign, including several new variants:
macOS-Specific Malware:
- WAVESHAPER: A malicious C++ executable that gathers system information and distributes HYPERCALL downloader
- DEEPBREATH: A Swift-based data miner that manipulates macOS's Transparency, Consent, and Control (TCC) database to access sensitive data including iCloud Keychain credentials and browser information
- CHROMEPUSH: A C++ data stealer deployed as a browser extension that records keystrokes, observes credential inputs, and extracts browser cookies
- SILENCELIFT: A minimalist C/C++ backdoor that communicates with command-and-control servers
Cross-Platform Components:
- HYPERCALL: A Go-based downloader that serves additional payloads
- HIDDENCALL: A Golang backdoor providing hands-on keyboard access
- SUGARLOADER: A C++ downloader used to deploy CHROMEPUSH
Technical Sophistication and Impact
The malware demonstrates advanced capabilities specifically designed for cryptocurrency theft:
- DEEPBREATH manipulates macOS's TCC database to bypass security controls and gain file system access
- CHROMEPUSH masquerades as a Google Docs offline editing tool while harvesting browser data
- The combination of multiple malware families on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens
Attribution and Context
UNC1069's use of generative AI tools like Gemini for creating lure material represents a concerning trend in cybercrime. The group has also attempted to misuse Gemmini to develop cryptocurrency-stealing code and leveraged deepfake images and videos mimicking cryptocurrency industry figures.
The campaign's sophistication is further evidenced by its ability to reuse webcam footage from previous victims, creating a convincing illusion of live video calls. This technique, tracked by Kaspersky as "GhostCall," involves uploading victim footage to attacker-controlled infrastructure and reusing it to deceive other targets.
Defense Recommendations
Organizations in the cryptocurrency sector should implement the following measures:
- Enhanced Email Security: Deploy advanced phishing detection and URL filtering
- Multi-Factor Authentication: Require MFA for all sensitive accounts and systems
- Employee Training: Conduct regular security awareness training focused on social engineering tactics
- Network Monitoring: Implement behavioral analysis to detect unusual lateral movement and data exfiltration
- Application Whitelisting: Restrict execution of unauthorized applications
- Regular Security Audits: Conduct penetration testing and vulnerability assessments
The UNC1069 campaign demonstrates how state-sponsored actors are increasingly leveraging AI and deepfake technology to enhance traditional social engineering attacks. The combination of sophisticated deception techniques with multiple malware families creates a formidable threat that requires comprehensive security measures to mitigate.
Source: Google Mandiant Research
Comments
Please log in or register to join the discussion