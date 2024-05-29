



Microsoft has named another state-aligned threat actor: Moonstone Sleet (formerly Storm-1789), which engages in cyberespionage and ransomware attacks to advance the goals of the North Korean regime. “Moonstone Sleet uses tactics, techniques, and procedures (TTPs) also used by other North Korean threat actors in recent years, highlighting the overlap between these groups,” Microsoft threat analysts say. “When Microsoft first detected Moonstone Sleet activity, the actor demonstrated strong overlaps with Diamond Sleet, largely reusing code from Diamond Sleet malware known as Comebacker and using well-established malware techniques. Diamond Sleet to gain access to organizations, such as using social media to spread Trojans. software. However, Moonstone Sleet quickly moved to its own infrastructure and attacks. Moonstone Sleet TTP Moonstone Sleet Attackers: Delivering a trojanized version of PuTTY via LinkedIn, Telegram, and independent developer platforms to impose custom malware loaders on victims.

Using malicious NPM packages to deliver malicious payloads (including information stealers)

Delivering a custom ransomware variant (FakePenny) to a previously compromised company and demands $6.6 million in BTC to decrypt the files. The group also “created” fake software development and IT consulting services companies by creating legitimate-looking websites, fake employee profiles, and fake social media accounts, and used them to reach potential targets and solicit work or cooperation. They used tracking pixels and a fake unsubscribe page to confirm which targets were interacting with the emails. “Moonstone Sleet used a fake company called CC Waterfall to contact targets. The email presented the game as a blockchain-related project and offered the target the opportunity to collaborate, with a link to download the [DeTankWar] game included in the body of the message,” Microsoft noted. Moonstone Sleet emails a link to the game DeTankWar (Source: Microsoft Threat Intelligence) The linked executable included malicious DLLs that provide a custom malware loader (YouieLoad), which loads malicious payloads into memory and creates malicious services for network and user discovery and browser data collection. Finally, the group also attempted to find employment as a software developer at several legitimate companies. “This activity may be consistent with previous reports from the United States Department of Justice that North Korea was using highly skilled remote IT workers to generate revenue. On the other hand, this Moonstone Sleet activity could also be another approach to access organizations,” the analysts pointed out. This type of access could be used to launch attacks against the software supply chain. Advice to potential targets So far, the group has been spotted targeting a company that makes drone technology and another that makes aircraft parts, a defense technology company, and organizations in the software/IT and education sectors . Microsoft has sharing recommendations, indicators of compromise, and search queries that organizations can use to mitigate the threat of a Moonstone Sleet attack or spot evidence of a successful attack.



