EXECUTIVE SUMMARY
A threat actor, identified as UNC1069, has been carrying out a financially motivated campaign targeting cryptocurrency and Web3 professionals. The group, which overlaps with the Bluenoroff cluster, uses high-fidelity social engineering tactics to bypass traditional defenses and drain digital assets. The attack chain begins on professional platforms like LinkedIn and Telegram, where threat actors operate under fraudulent venture capital personas, often leveraging previously compromised accounts to reach out with tailored partnership proposals.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A threat actor, identified as UNC1069, has been carrying out a financially motivated campaign targeting cryptocurrency and Web3 professionals. The group, which overlaps with the Bluenoroff cluster, uses high-fidelity social engineering tactics to bypass traditional defenses and drain digital assets. The attack chain begins on professional platforms like LinkedIn and Telegram, where threat actors operate under fraudulent venture capital personas, often leveraging previously compromised accounts to reach out with tailored partnership proposals.[emaillocker id="1283"]
The attackers build rapport with targets and share scheduling links to arrange meetings, which lead to fake meeting platforms hosted on attacker-controlled infrastructure. These environments are highly convincing and may even include live participation from the attackers. Once a rapport is established, victims are invited to a meeting via scheduling links like Calendly. These links do not lead to a standard conference call, but to attacker-controlled infrastructure designed to mimic legitimate services such as Google Meet, Zoom, or Microsoft Teams. During these fraudulent meetings, victims are led to believe their hardware is malfunctioning, and when they attempt to enable their camera or microphone, they are presented with a ClickFix-style prompt.
The malware variants deployed, such as Cabbage RAT and NukeSped, have direct ties to North Korea's state-sponsored Lazarus Group. Researchers believe these operations are critical for the regime, stating they are "believed to support the North Korean regime's missile, nuclear, and espionage programs." To stay ahead of the actors, organizations should prioritize robust cybersecurity measures, including patching, monitoring, backups, and endpoint protection. It is essential to remain vigilant and proactive in the face of such sophisticated threats, as the attackers rely heavily on social engineering techniques to deliver malicious payloads. Organisations must also educate employees on the dangers of social engineering and ensure they are aware of the tactics employed by UNC1069.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1204.001 | User Execution | Malicious Link |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Name or Location |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Collection | T1123 | Audio Capture | — |
| Collection | T1125 | Video Capture | — |
| Collection | T1119 | Automated Collection | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/unc1069-fake-video-meeting-crypto-theft-north-korea/
https://www.validin.com/blog/i_cant_hear_you_unc1069/