“Hello? I can’t hear you”: Investigating UNC1069’s Fake Meeting Tactics

MITRE Techniques

• [T1566 ] Phishing – Use of out-of-band contacts and scheduled links to lure targets into fake meetings (‘They build rapport with targets and share scheduling links (e.g., via Calendly) to arrange meetings.’)
• [T1059.001 ] PowerShell – Delivery and execution of PowerShell downloaders on Windows to retrieve and run VBS payloads (‘they are then prompted to paste and execute a set of commands that retrieve and run two distinct PowerShell scripts.’)
• [T1059.005 ] Visual Basic – Execution of VBS-based RAT stages and in-memory execution of secondary VBS payloads (‘The retrieved VBS payload appears to be an updated variant of CageyChameleon (Cabbage RAT)’)
• [T1059.004 ] Unix Shell – Instructing macOS and Linux victims to run terminal commands that fetch and execute Mach-O/Perl or ELF binaries (‘victims are instructed to press Cmd (⌘) + Space, search for Terminal, and execute a series of commands.’ / ‘victims are instructed to press Ctrl + Alt + T… paste and execute … fetching and running an ELF downloader.’)
• [T1105 ] Ingress Tool Transfer – Downloading ZIP-compressed payloads, binaries, and secondary stages from attacker-controlled servers (‘download ZIP-compressed payloads and perform beaconing via curl’ / ‘downloads a ZIP archive … disguised as a Zoom application.’)
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 and media communications over HTTP(S) POST and WebSocket/WebRTC channels (‘transmits them in real time using WebRTC-based streaming… via a WebSocket signaling channel’)
• [T1041 ] Exfiltration Over C2 Channel – Exfiltration of host telemetry and captured media to attacker-controlled servers (‘The RAT communicates with its command-and-control (C2) server to: Exfiltrate collected host data’)
• [T1547.001 ] Startup Folder – Persistence via creation of a .lnk shortcut in the Windows Startup folder to re-execute the VBS payload on logon (‘the malware creates a shortcut (.lnk) file in the Windows Startup folder, ensuring execution upon user logon.’)
• [T1036 ] Masquerading – Use of lookalike meeting domains and impersonation of legitimate meeting services to appear authentic (‘fake meeting platforms hosted on attacker-controlled infrastructure, designed to closely mimic legitimate services like Google Meet, Zoom, and Microsoft Teams.’)
• [T1057 ] Process Discovery – Enumeration of running processes by the RAT (‘The RAT communicates with its command-and-control (C2) server to: Enumerate running processes (getProc)’)
• [T1123 ] Audio Capture – Browser-initiated microphone access and capture via navigator.mediaDevices.getUserMedia (‘The script initiates media capture through the browser’s “navigator.mediaDevices.getUserMedia” API, explicitly requesting access to both the microphone and camera.’)
• [T1125 ] Video Capture – Browser-based camera capture and local recording via the MediaRecorder API for reuse in later social engineering (‘the script also implements local recording capabilities through the MediaRecorder API, potentially allowing the actors to store audio and video data for later use’)