Crypto Sector in Crosshairs: UNC1069’s AI Deepfakes and New Mac Malware Arsenal Exposed

Crypto Sector in Crosshairs: UNC1069’s AI Deepfakes and New Mac Malware Arsenal Exposed

The cryptocurrency world faces a growing threat from advanced hackers. A group called UNC1069, linked to North Korea, has stepped up its game. They now use AI deepfakes and fresh malware to steal crypto funds. This post dives into their latest tricks, how they hit a FinTech firm, and what it means for your security.

Who is UNC1069 and Why Target Crypto?

UNC1069 has been active since 2018. They focus on money grabs, especially in crypto, DeFi, startups, developers, and venture capital firms. Unlike some groups that hit big exchanges, UNC1069 goes after people and smaller targets to steal credentials and session tokens.

Recently, they hit a FinTech company in the crypto space. They dropped seven unique malware families on one Mac device. This shows their push to grab as much data as possible for theft and future scams.

The Sneaky Social Engineering Attack

The hack started with a compromised Telegram account from a crypto executive. The hackers messaged the victim, built trust, and sent a Calendly link for a 30-minute meeting.

The link led to a fake Zoom call on attacker-controlled servers: zoom[.]uswe05[.]us. During the call, the victim saw a video of another crypto CEO that looked real – likely an AI-generated deepfake.

They tricked the victim into thinking there were audio issues. Then came the ClickFix attack: fake troubleshooting commands for Mac or Windows. One hidden command kicked off the malware infection.

• Mac commands: Included AppleScript to drop the first malware.
• Windows commands: Similar setup for other systems.

This mix of stolen accounts, fake meetings, deepfakes, and ClickFix is new and scary. It builds on their use of AI tools like Gemini for research and fake images/videos.

The Malware Explosion: Seven Tools on One Machine

Once inside, UNC1069 unleashed a chain of malware. Even without EDR tools, forensics showed the full picture via macOS logs like XProtect Database.

1. WAVESHAPER (First Backdoor)

Packed C++ backdoor. Forks to run in background, beacons system info (UID, boot time, processes) to C2 server. Downloads more payloads to /tmp/.[A-Za-z0-9]{6}.

2. HYPERCALL (Downloader)

Go-based downloader. Uses RC4-encrypted config at /Library/SystemSettings/.CacheLogs.db. Downloads and reflectively loads dynamic libraries from C2 on port 443. Links to SUGARLOADER influences.

3. HIDDENCALL (Hands-on Backdoor)

Loaded by HYPERCALL. Gives remote keyboard access. Code overlaps with HYPERCALL, proven via Rosetta AOT files.

4. SUGARLOADER (Known Downloader)

C++ loader with persistence via launch daemon: /Library/LaunchDaemons/com.apple.system.updater.plist. Downloads next stage from RC4 config.

5. SILENCELIFT (Toehold Backdoor)

Minimal C/C++ beacon. Sends host info and lock status to support-zoom[.]us. Can disrupt Telegram if root.

6. DEEPBREATH (Data Miner)

Swift-based stealer. Bypasses TCC privacy by editing database via Finder (which has Full Disk Access). Grabs:

• Keychain credentials
• Chrome, Brave, Edge browser data
• Telegram and Apple Notes data

ZIPs and exfils via curl. Relaunches via AppleScript.

7. CHROMEPUSH (Browser Data Miner)

C++ tool. Installs fake browser extension (“Google Docs offline”) as native messaging host in Chrome/Brave. Logs keys, grabs cookies, screenshots. Config in JSON at setting.db. Uploads to cmailer[.]pro.

What They Steal and Why It Matters

All this grabs credentials, browser cookies, session tokens – perfect for draining wallets or hijacking accounts. UNC1069 shifted to Web3 since 2023, hitting payments, staking, wallets. They pivot from personal to corporate devices.

This single-host blitz shows determination: harvest data for instant theft and fuel more phishing with stolen identities.

Protection Tips for Crypto Users

1. Verify Contacts: Double-check Telegram profiles and meeting links.
2. Spot Deepfakes: Look for glitches in video/audio during calls.
3. Avoid ClickFix: Never run unknown commands. Use verified support.
4. Enable EDR/AV: XProtect helps log, but add full security like Google SecOps rules.
5. Lock Down TCC: Review privacy settings; avoid granting Full Disk Access lightly.
6. Monitor for IOCs: Watch paths like /Library/Caches/.Logs.db, suspicious plists, browser extensions.

Final Thoughts

UNC1069’s AI deepfakes and new Mac malware arsenal mark a big leap. Crypto firms and devs must stay alert. As North Korean hackers evolve, so must defenses. Share this to spread awareness – stay safe in the blockchain world.

Key Hashes and IOCs available in full reports for hunters.