Threat Intelligence, Malware

Novel tools leveraged in North Korean crypto-theft intrusions

Organizations in the cryptocurrency sector have had their Windows and macOS systems targeted by North Korean hacking operation UNC1069 in financially-motivated malware campaigns, according to BleepingComputer.

After leveraging a hacked cryptocurrency executive's Telegram account to establish rapport with targets, UNC1069 proceeded to share a Calendly link that redirected to a fake Zoom meeting page that displayed an AI-based deepfake of another cryptocurrency firm's CEO that sought to give an impression of ongoing audio issues, a report from Google's Mandiant researchers revealed. Such audio concerns were harnessed by the attacker to lure the target into executing Windows- and macOS-specific commands on a webpage that would trigger the compromise.

Running the command in macOS prompted AppleScript and illicit Mach-O binary deployment, which then facilitated the execution of the C++-based WAVESHAPER backdoor, the Golang-based HYPERCALL downloader, the Golang-based HIDDENCALL backdoor, the C/C++-based SILENCELIFT backdoor, and the Swift-based DEEPBREATH data miner, as well as the C++-based SUGARLOADER downloader, and C++-based CHROMEPUSH browser data miner. While SUGARLOADER and WAVESHAPER have been commonly detected on VirusTotal, SILENCELIFT, DEEPBREATH, and CHROMEPUSH were regarded as new inclusions to UNC1069's toolkit.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds