Full Report
North Korean hackers are running tailored campaigns using AI-generated video and the ClickFix technique to deliver malware for macOS and Windows to targets in the cryptocurrency sector. [...]
Analysis Summary
# Threat Actor: UNC1069
## Attribution & Identity
The threat actor is attributed to **North Korean hackers**.
**Known Aliases:** UNC1069 (tracked by Google's Mandiant since 2018).
**Associated Groups:** The article notes a *similar* attack method attributed to **BlueNoroff** (also known as Sapphire Sleet and TA44), another North Korean adversary, suggesting potential operational overlap or shared TTP evolution within the broader North Korean threat landscape, although the specific campaign discussed is linked to UNC1069.
## Activity Summary
UNC1069 is conducting tailored campaigns focused on financial gain through data exfiltration and cryptocurrency theft. A recent operation involved complex social engineering using **AI-generated (deepfake) video** within a seemingly legitimate meeting context to trick victims into running malware installers. The actors aim to gather cryptocurrency theft data and harvest victim identities/data for future social engineering efforts.
## Tactics, Techniques & Procedures
- **Initial Access / Social Engineering:** Contacting victims via Telegram from compromised executive accounts, building rapport, and setting up a spoofed Zoom meeting using **AI-generated video (deepfakes)** of known executives from target companies.
- **Execution Lure (ClickFix Technique):** Prompting the victim to troubleshoot perceived audio issues by following instructions on an attacker-controlled webpage, which involved executing commands for both Windows and macOS. This process is described as utilizing the "ClickFix technique."
- **Discovery/Persistence:** Initial stages involved **AppleScript execution**, followed by deployment of a malicious Mach-O binary on macOS. Persistence was established for SUGARLOADER via a manually created launch daemon.
- **Data Exfiltration/Collection:** Utilizing data miners (DEEPBREATH, CHROMEPUSH) to steal keychain credentials, browser data, Telegram data, and Apple Notes data.
- **Evasion:** DEEPBREATH bypasses macOS TCC protections by modifying the TCC database to gain broad filesystem access.
- **Command and Control (C2):** Communication utilized HTTP/HTTPS (via curl) and WebSockets over TCP 443.
## Targeting
- **Sectors:** Cryptocurrency sector, fintech companies, Web3 industry (centralized exchanges, developers, venture capital funds), and financial services (payments, brokerage, and wallet infrastructure).
- **Geography:** Not explicitly detailed, but operations focus on global entities within the specified sectors.
- **Victims:** Specific targets included a fintech company and, historically, entities within the Web3 industry.
## Tools & Infrastructure
**Malware Families (Seven distinct families found on one host):**
1. **WAVESHAPER:** C++ backdoor; collects host info; C2 via HTTP/HTTPS using `curl`.
2. **HYPERCALL:** Golang-based downloader; reads RC4-encrypted config; C2 via WebSockets (TCP 443); loads malicious dynamic libraries reflectively.
3. **HIDDENCALL:** Golang-based backdoor; reflectively injected by HYPERCALL; provides hands-on keyboard access.
4. **SILENCELIFT:** Minimal C/C++ backdoor; beacons host info/lock screen status; can interrupt Telegram communications.
5. **DEEPBREATH:** Swift-based data miner; steals keychain, browser data, Telegram data, Apple Notes data.
6. **SUGARLOADER:** C++ downloader; uses RC4-encrypted config to fetch payloads; establishes persistence.
7. **CHROMEPUSH:** C++ browser data miner; installs as a masquerading Chromium native messaging host (Google Docs Offline extension); collects keystrokes, credentials, cookies, and screenshots.
**Infrastructure:**
- Compromised Telegram accounts used for initial contact.
- Attacker-controlled infrastructure hosting a spoofed Zoom meeting page.
- C2 servers communicating via HTTP/HTTPS and WebSockets.
## Implications
UNC1069 displays a high level of adaptation, evolving its targeting (from Web3 to broader crypto/finance) and leveraging cutting-edge social engineering tactics, specifically **AI-generated deepfake video**, to achieve initial access. The deployment of an unusually high volume of specialized malware against a single target indicates a highly focused intelligence gathering and theft operation, making them a significant threat to organizations handling sensitive digital assets.
## Mitigations
- **Enhanced Social Engineering Training:** Users must be trained to recognize highly sophisticated social engineering tactics involving deepfake video/audio, especially during impromptu digital meetings.
- **Strict Authentication and Verification:** Implement policies requiring secondary, out-of-band verification (e.g., phone call) for any requests made over messaging apps (like Telegram) that lead to executing files or running strange commands.
- **Endpoint Detection and Response (EDR) for macOS:** Deploy robust EDR solutions capable of monitoring for unusual process execution chains, AppleScript activity, Mach-O binary deployment, and suspicious launch daemon creation.
- **TCC Policy Monitoring:** Actively monitor for unauthorized modifications to the macOS TCC database, as leveraged by DEEPBREATH.
- **Network Monitoring:** Monitor internal C2 communications patterns, specifically suspicious outbound traffic over WebSockets or standard HTTP/S channels initiated by unknown background processes.