UNC1069 Uses New Tools to Target Crypto Entities
Contents
Verticals Targeted: Cryptocurrency, Financial
Regions Targeted: Not specified
Related Families: SUGARLOADER, WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, CHROMEPUSH
Executive Summary
A targeted intrusion into a FinTech entity in the cryptocurrency sector was attributed to UNC1069, a North Korea-nexus financially motivated threat actor. The operation deployed seven unique malware families on a macOS host through sophisticated social engineering involving a compromised Telegram account, a spoofed Zoom meeting, a reported deepfake video, and a ClickFix technique to initiate infection.
Key Takeaways
- UNC1069 leveraged a multi-stage infection chain starting with social engineering via hijacked Telegram and fake Zoom, using ClickFix commands to execute initial payloads on macOS.
- New tooling including SILENCELIFT, DEEPBREATH, and CHROMEPUSH was deployed alongside a known downloader, SUGARLOADER.
- The attack focused on harvesting credentials, browser data, session tokens, Keychain items, Telegram data, and Apple Notes to enable cryptocurrency theft and support future social engineering.
- Persistence was achieved via a manually configured launch daemon for SUGARLOADER, while …
Regions Targeted: Not specified
Related Families: SUGARLOADER, WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, CHROMEPUSH
Executive Summary
A targeted intrusion into a FinTech entity in the cryptocurrency sector was attributed to UNC1069, a North Korea-nexus financially motivated threat actor. The operation deployed seven unique malware families on a macOS host through sophisticated social engineering involving a compromised Telegram account, a spoofed Zoom meeting, a reported deepfake video, and a ClickFix technique to initiate infection.
Key Takeaways
- UNC1069 leveraged a multi-stage infection chain starting with social engineering via hijacked Telegram and fake Zoom, using ClickFix commands to execute initial payloads on macOS.
- New tooling including SILENCELIFT, DEEPBREATH, and CHROMEPUSH was deployed alongside a known downloader, SUGARLOADER.
- The attack focused on harvesting credentials, browser data, session tokens, Keychain items, Telegram data, and Apple Notes to enable cryptocurrency theft and support future social engineering.
- Persistence was achieved via a manually configured launch daemon for SUGARLOADER, while …
IoC
1a30d6cdb0b98feed62563be8050db55ae0156ed437701d36a7b46aabf086ede
B525837273dde06b86b5f93f9aec2c29665324105b0b66f6df81884754f8080d
B525837273dde06b86b5f93f9aec2c29665324105b0b66f6df81884754f8080d