A never-before-seen North Korean risk actor codenamed Moonstone Sleet has been attributed as behind cyber assaults focusing on people and organizations within the software program and data know-how, schooling, and protection industrial base sectors with ransomware and bespoke malware beforehand related to the notorious Lazarus Group.
“Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a malicious game, and deliver a new custom ransomware,” the Microsoft Risk Intelligence group stated in a brand new evaluation.
It additionally characterised the risk actor as utilizing a mixture of tried-and-true strategies utilized by different North Korean risk actors and distinctive assault methodologies to fulfill its strategic goals.
The adversary, hitherto tracked by Redmond below the rising cluster moniker Storm-1789, is assessed to be a state-aligned group that initially exhibited sturdy tactical overlaps with the Lazarus Group (aka Diamond Sleet), earlier than establishing its personal distinct identification by separate infrastructure and tradecraft.
The similarities with Lazarus embrace extensively reusing code from recognized malware equivalent to Comebacker, which was first noticed in January 2021 in reference to a marketing campaign focusing on safety researchers engaged on vulnerability analysis and improvement.
Comebacker was put to make use of by the Lazarus Group as not too long ago as this February, embedding it inside seemingly innocuous Python and npm packages to ascertain contact with a command-and-control (C2) server to retrieve extra payloads.
To help its numerous objectives, Moonstone Sleet can be recognized to pursue employment in software program improvement positions at a number of reputable corporations, doubtless in an try and generate illicit income for the sanctions-hit nation or acquire covert entry to organizations.
Assault chains noticed in August 2023 concerned the usage of a modified model of PuTTY – a tactic adopted by the Lazarus Group in late 2022 as a part of Operation Dream Job – through LinkedIn and Telegram in addition to developer freelancing platforms.
“Often, the actor sent targets a .ZIP archive containing two files: a trojanized version of putty.exe and url.txt, which contained an IP address and a password,” Microsoft stated. “If the provided IP and password were entered by the user into the PuTTY application, the application would decrypt an embedded payload, then load and execute it.”
The trojanized PuTTY executable is designed to drop a customized installer dubbed SplitLoader that initiates a sequence of intermediate levels with a purpose to finally launch a Trojan loader that is answerable for executing a transportable executable acquired from a C2 server.
Alternate assault sequences have entailed the usage of malicious npm packages which can be delivered by LinkedIn or freelancing web sites, typically masquerading as a faux firm to ship .ZIP recordsdata invoking a malicious npm package deal below the guise of a technical expertise evaluation.
These npm packages are configured to hook up with an actor-controlled IP tackle and drop payloads just like SplitLoader, or facilitate credential theft from the Home windows Native Safety Authority Subsystem Service (LSASS) course of.
It is price noting that the focusing on of npm builders utilizing counterfeit packages has been related to a marketing campaign beforehand documented by Palo Alto Networks Unit 42 below the identify Contagious Interview (aka DEV#POPPER). Microsoft is monitoring the exercise below the identify Storm-1877.
Rogue npm packages have additionally been a malware supply vector for an additional North Korea-linked group codenamed Jade Sleet (aka TraderTraitor and UNC4899), which has been implicated within the JumpCloud hack final yr.
Different assaults detected by Microsoft since February 2024 have utilized a malicious tank recreation known as DeTankWar (aka DeFiTankWar, DeTankZone, and TankWarsZone) that is distributed to targets through e mail or messaging platforms, whereas lending a layer of legitimacy by organising faux web sites and accounts on X (previously Twitter).
“Moonstone Sleet typically approaches its targets through messaging platforms or by email, presenting itself as a game developer seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies,” Microsoft researchers stated.
“Moonstone Sleet used a fake company called C.C. Waterfall to contact targets. The email presented the game as a blockchain-related project and offered the target the opportunity to collaborate, with a link to download the game included in the body of the message.”
The purported recreation (“delfi-tank-unity.exe”) comes fitted with a malware loader known as YouieLoad, which is able to loading next-stage payloads in reminiscence and creating malicious providers for community and consumer discovery and browser knowledge assortment.
One other non-existent firm – full with a customized area, faux worker personas, and social media accounts – created by Moonstone Sleet for its social engineering campaigns is StarGlow Ventures, which masqueraded as a reputable software program improvement firm to achieve out to potential targets for collaboration on tasks associated to internet apps, cell apps, blockchain, and AI.
Whereas the top of this marketing campaign, which befell from January to April 2024, is unclear, the truth that the e-mail messages got here embedded with a monitoring pixel raises the likelihood that it could have been used as a part of a trust-building train and decide which of the recipients engaged with the emails for future income technology alternatives.
The most recent device within the adversary’s arsenal is a customized ransomware variant known as FakePenny that it has been discovered deployed in opposition to an unnamed protection know-how firm in April 2024 in alternate for a $6.6 million ransom in Bitcoin.
Using ransomware is one other tactic pulled straight out of Andariel’s (aka Onyx Sleet) playbook, a sub-group working inside the Lazarus umbrella recognized for ransomware households like H0lyGh0st and Maui.
Along with adopting obligatory safety measures to defend in opposition to assaults by the risk actor, Redmond is urging software program corporations to be looking out for provide chain assaults, given North Korean hacking teams’ propensity for poisoning the software program provide chain to conduct widespread malicious operations.
“Moonstone Sleet’s diverse set of tactics is notable not only because of their effectiveness, but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives,” the corporate stated.
The disclosure comes as South Korea accused its northern counterpart, notably the Lazarus Group, of stealing 1,014 gigabytes of knowledge and paperwork equivalent to names, resident registration numbers, and monetary information from a court docket community from January 7, 2021, to February 9, 2023, Korea JoongAng Each day reported earlier this month.
