UNC1069 Hackers Attacking Finance Sector with New Tools and AI-Enabled Social Engineering

North Korean threat actors, tracked as UNC1069, have intensified their attacks on the cryptocurrency and finance sectors using a sophisticated blend of novel malware and artificial intelligence.

Active since at least 2018, this financially motivated group continues to evolve its tradecraft, shifting from standard phishing attempts to highly tailored intrusions targeting software developers and venture capital firms.

Their latest campaign demonstrates a significant expansion in capabilities, focusing on harvesting credentials, session tokens, and browser data to facilitate financial theft.

The attackers typically initiate contact through professional social messaging platforms like Telegram, posing as legitimate recruiters or executives to build a strong rapport with potential victims.

After establishing trust, they steer targets toward a scheduled conference call using a spoofed meeting link.

To enhance the deception, they utilize AI-generated deepfake videos of company CEOs during these calls, creating a convincing ruse that disarms the victim and prepares them for the technical compromise.

Google Cloud analysts identified the malware families and the group’s transition to these AI-enabled lures after observing an unusually large volume of malicious tools deployed on victim hosts.

The researchers noted that UNC1069 now utilizes a diverse arsenal of seven distinct malware families, including custom backdoors and specialized browser extensions.

This aggressive tooling strategy indicates a determined effort to bypass security measures, secure persistent access, and extract as much sensitive information as possible from compromised systems before they are detected.

The impact of these intrusions is severe, as the attackers aim to drain cryptocurrency wallets and steal identity data to fuel future social engineering campaigns.

By deploying multiple layers of malicious software, they ensure that even if one tool is removed, others remain active to maintain control over the network. This persistence allows them to monitor victim activity over extended periods.

The ClickFix Infection Mechanism

The primary method for initially breaching victim systems in this campaign involves a deceptive social engineering technique known as “ClickFix.”

During the fraudulent Zoom meeting, the attackers simulate a technical audio issue and urgently direct the user to a malicious website for troubleshooting.

This site presents specific “fix” commands that the victim is tricked into running on their device to supposedly resolve the glitch.

The user is instructed to copy and execute a terminal command that covertly downloads and launches the initial malware payload.

This action cleverly bypasses standard security checks because the user manually authorizes the process. Once this command is executed, it deploys a backdoor named WAVESHAPER or a downloader like SUGARLOADER.

These programs immediately establish a connection with the attacker’s command-and-control server, effectively completing the infection chain and granting the hackers a firm foothold to deploy further data-mining tools such as CHROMEPUSH or DEEPBREATH.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.