"The North Korea-linked threat actor known as UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data from Windows and macOS systems with the ultimate goal of facilitating financial theft. "The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim," Google Mandiant researchers Ross Inman and Adrian Hernandez said."
"UNC1069, assessed to be active since at least April 2018, has a history of conducting social engineering campaigns for financial gain using fake meeting invites and posing as investors from reputable companies on Telegram. It's also tracked by the broader cybersecurity community under the monikers CryptoCore and MASAN. In a report published last November, Google Threat Intelligence Group (GTIG) pointed out the threat actor's use of generative artificial intelligence (AI) tools like Gemini to produce lure material and other messaging related to cryptocurrency as part of efforts to support its social engineering campaigns."
UNC1069 targets the cryptocurrency sector to steal sensitive data from Windows and macOS systems for financial theft. The intrusion used social engineering via a compromised Telegram account, a fake Zoom meeting, the ClickFix infection vector, and AI-generated video deepfakes to deceive victims. Active since at least April 2018, the group uses fake meeting invites and investor impersonation and is tracked as CryptoCore and MASAN. The actor leverages generative AI tools like Gemini and Gemmini to create lures and attempt cryptocurrency-theft code. Campaigns shifted toward Web3 entities including exchanges, developers, high-tech firms, and venture capital personnel and deployed multiple malware families including a BIGMACHO backdoor disguised as a Zoom SDK.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]