Crypto Alert: UNC1069 Deploys AI Deepfakes and New Mac Malware in Bold Crypto Attacks

Introduction: A New Wave of Crypto Threats

Cryptocurrency and DeFi sectors are under fire. North Korean-linked hackers known as are stepping up their game. They now use AI deepfakes, fake Zoom calls, and fresh malware tools to steal funds. This group has targeted crypto firms since 2018. Their latest tricks show how they mix social engineering with advanced tech to hit hard.

In a recent case, tricked a FinTech worker. They stole credentials, browser data, and session tokens. This led to big risks for crypto theft. Seven unique malware families were found on one Mac device. New tools like SILENCELIFT, DEEPBREATH, and CHROMEPUSH were key. Let’s break it down step by step.

How the Attack Started: Social Engineering with AI

The hack began on Telegram. Hackers took over an executive’s account from a crypto company. They messaged the victim, built trust, then sent a Calendly link for a meeting. It led to a fake Zoom page on hacker servers: zoom[.]uswe05[.]us.

During the “call,” a deepfake video of a CEO appeared. The victim thought it was real. Hackers claimed audio issues and pushed a ClickFix trick. They gave commands to “fix” the problem. Hidden in those was malware code.

• Mac commands: Used AppleScript to start infection.
• Windows commands: Ready for other systems.

This is not new for . They target crypto startups, developers, and VC firms. AI helps make fake videos and images. Reports show they use tools like Gemini for research and lures.

The Infection Chain: From Click to Full Control

Victim ran the commands on a Mac. AppleScript dropped first. Then came WAVESHAPER, a packed backdoor. It fetched more tools like HYPERCALL downloader.

HYPERCALL, in Go language, grabbed dynamic libraries from C2 servers. It used RC4 encryption and reflective loading to hide. It deployed:

1. HIDDENCALL: For remote keyboard access.
2. SUGARLOADER: Known downloader with persistence.
3. SILENCELIFT: Beacons system info.

Even without EDR tools, Mac’s XProtect logged violations. Timestamps showed the full chain.

Key Malware Tools: Data Thieves Exposed

DEEPBREATH: Bypasses Mac Privacy

Swift-based data miner. It tweaks the TCC database for full file access. Uses Finder’s permissions to rename and edit TCC.db. Steals:

• Keychain credentials.
• Chrome, Brave, Edge data.
• Telegram and Apple Notes.

Data zipped and sent via curl.

CHROMEPUSH: Browser Extension Spy

C++ data miner. Installs fake Google Docs extension in Chrome and Brave. Acts as native messaging host. Logs keys, grabs cookies, takes screenshots. Sends to cmailer[.]pro.

Persists via launch daemon in /Library/LaunchDaemons.

SUGARLOADER and Others

Old favorite from . Downloads next stages from RC4 configs. Here, it dropped CHROMEPUSH.

WAVESHAPER: C++ backdoor, forks daemon, grabs system info.

HYPERCALL & HIDDENCALL: Linked by code shares, AOT files prove ties.

SILENCELIFT: Simple beacon, messes with Telegram if root.

: Evolving North Korean Threat

Active since 2018, shifted to Web3 in 2023. From TradFi phishing to crypto devs, exchanges, wallets. Smaller hauls than peers, but persistent. Targets payments, staking, brokerage.

They use AI across ops: lures, tooling, recon. Overlaps with Bluenoroff using GPT-4o for images.

This attack hit one device hard. Goal: Steal crypto now, use data for more phishing later.

Why Crypto is Prime Target

High rewards. Crypto firms hold big funds. Individuals have wallets. Hackers pivot from personal to corporate devices. New tools show pro skills but some sloppy code hints at varied devs.

How to Protect Your Crypto Setup

1. Verify Contacts: Check Telegram owners. Warn if hijacked.
2. Spot Fake Meetings: Hover links, check domains.
3. Avoid ClickFix: Never run unknown commands.
4. Enable Security: Use EDR, XProtect updates. Watch TCC changes.
5. AI Awareness: Question videos in calls.
6. Browser Safety: Block shady extensions. Use hardware wallets.
7. Monitor Logs: Check XPdb for behaviors.

Tools like Google SecOps catch these: TCC tweaks, Chrome mods, keychain hits.

Conclusion: Stay Vigilant in Crypto Wars

‘s and raise the bar. Crypto users must adapt. Blend security tools with smart habits. Watch IOCs like C2 domains: support-zoom[.]us, cmailer[.]pro. Hashes in threat feeds help hunt.

The blockchain world grows fast. So do threats. Protect your assets today.

Discuss this news on our Telegram Community. Subscribe to us on Google news and do follow us on Twitter @Blockmanity

Disclaimer: Blockmanity is a news portal and does not provide any financial advice. Blockmanity's role is to inform the cryptocurrency and blockchain community about what's going on in this space. Please do your own due diligence before making any investment. Blockmanity won't be responsible for any loss of funds.