The North Korea-linked threat actor UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data from Windows and macOS systems with the ultimate goal of facilitating financial theft. The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim, Google Mandiant researchers Ross Inman and Adrian Hernandez said. UNC1069, assessed to be active since at least April 2018, has a history of conducting social engineering campaigns for financial gain using fake meeting invites and posing as investors from reputable companies on Telegram. It’s also tracked by the broader cybersecurity community under the monikers CryptoCore and MASAN.
In a report published last November, Google Threat Intelligence Group pointed out the threat actor’s use of generative artificial intelligence tools like Gemini to produce lure material and other messaging related to cryptocurrency as part of efforts to support its social engineering campaigns. The group has also been observed attempting to misuse Gemmini to develop code to steal cryptocurrency, as well as leverage deepfake images and video lures mimicking individuals in the cryptocurrency industry in its campaigns to distribute a backdoor called BIGMACHO to victims by passing it off as a Zoom software development kit (SDK). Since at least 2023, the group has shifted from spear-phishing techniques and traditional finance (TradFi) targeting towards the Web3 industry, such as centralized exchanges, software developers at financial institutions, high-technology companies, and individuals at venture capital funds, Google said. In the latest intrusion documented by the tech giant’s threat intelligence division, UNC1069 is said to have deployed as many as seven unique malware families, including several new malware families, such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH.
It all starts when a victim is approached by the threat actor via Telegram by impersonating venture capitalists and, in a few cases, even using compromised accounts of legitimate entrepreneurs and startup founders. The meeting link is designed to redirect the victim to a fake website masquerading as Zoom (\”zoom.us\”). In certain cases, the meeting links are directly shared via messages on Telegram, often using Telegram’s hyperlink feature to hide the phishing URLs. Regardless of the method used, as soon as the victim clicks the link, they are presented with a fake video call interface that mirrors Zoom, urging them to enable their camera and enter their name.
Leave a Reply