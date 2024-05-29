A North Korean threat actor has been discovered targeting organizations in the software and information technology, education and defense industry sectors with espionage and ransomware cyberattacks.

The group, which researchers called Moonstone Sleet in accordance with Microsoft's threat actor naming taxonomy, employs a diverse and effective range of techniques, some of which are unique and others previously exploited by North Korean threat groups. . Over the past nine months, the group has delivered a new family of custom ransomware that researchers have called FakePenny, as well as malware capable of loading additional payloads, stealing credentials and more.

Moonstone Sleet has a broad set of operations supporting its financial and cyberespionage objectives, according to Microsoft's threat intelligence team in an analysis from Tuesday. These range from deploying custom ransomware to creating a malicious game, creating fake companies and using IT professionals.

Researchers have observed the activities of malicious groups since last year, when attackers exploited trojanized versions of the open source terminal emulator PuTTY in August 2023. The malicious versions were distributed through social media applications like LinkedIn and Telegram, or through independent developer programs. said the researchers, and they infected victims with custom malware loaders. Other initial access vectors used by the threat group include malicious NPM packages, also distributed through platforms such as LinkedIn or unrelated sites, which were used to infect victims with loaders downloading additional payloads or enabling the theft of credentials from the Windows Local Security Authority Subsystem (LSASS) service. ) process.

In February 2024, the threat group was observed targeting devices by posing as a game developer or a fake company, named CC Waterfall, contacting targets and convincing them to download a malicious game it had developed, called DeTankWar. Upon launch, the malicious game downloaded a custom malware loader (tracked as YouieLoad) that enabled network and user discovery, browser data collection, and credential theft. These types of campaigns show how the threat group spends time and resources creating fake personas to deceive its targets, which is indicative of Moonstone Sleet's broader efforts to create fake companies that impersonate the threat group. software development or IT services, in particular those relating to software development or IT services. blockchain and AI, in order to add legitimacy to its attacks.

In this campaign, Moonstone Sleet typically approaches its targets via messaging platforms or email, posing as a game developer seeking investment or developer support and posing as a legitimate blockchain company or using fake companies, according to the threat analysis. To reinforce the game's superficial legitimacy, Moonstone Sleet has also created a strong public campaign that includes detankwar websites.[.]com and defitankzone[.]com, and numerous X accounts (Twitter) for the characters he uses to approach targets and for the game itself.

Researchers discovered the group in April 2024 launching the FakePenny ransomware family against a defense technology company, which it had previously compromised two months prior in an attack that initially stole credentials and IP addresses. In this specific attack, the group demanded a ransom of $6.6 million in Bitcoin, which researchers said was far higher than ransoms paid in previous ransomware attacks linked to North Korean actors , such as those related to WannaCry 2.0.

Microsoft believes Moonstone Sleets' goal in deploying the ransomware is financial gain, suggesting the actor is conducting cyber operations for both intelligence collection and revenue generation, the researchers said. It should be noted that the ransomware note dropped by FakePenny closely overlaps with the note used by Seashell Blizzard in its NotPetya malware.

The group has found success by leveraging proven capabilities used by other North Korean actors. For example, the group's initial campaigns relied heavily on methods previously used by the North Korean group Zinc (also known as Diamond Sleet), such as the use of social media to spread Trojan software and the reuse of Zinc's Comebacker malware code. Using malicious NPM packages to target software developers is another tactic used by North Korean actors such as Storm-1877 and TraderTraitor. Microsoft researchers also said the new group comes at an important time for North Korea, as it has made several changes to its foreign relations strategy. Last year, for example, North Korea closed several embassies around the world.

Although new, Moonstone Sleet has demonstrated that it will continue to mature, develop and evolve, and has positioned itself as a leading threat actor carrying out sophisticated attacks on behalf of the North Korean regime, they said. said the researchers.