Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Microsoft Warns of North Korea's 'Moonstone Sleet'
Pyongyang Threat Actor Is After Money and InformationA North Korean hacking group wants to make money for the cash-starved Pyongyang regime and conduct bread-and-butter cyberespionage, say Microsoft researchers in a profile of a group they track as "Moonstone Sleet."
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The hacking group, previously tracked by Redmond as Storm-1789, has pursued software development employment - a problem Western companies have grappled with alongside the rise of remote work and staffing agency employment. U.S. federal prosecutors unsealed indictments earlier this month against two individuals for allegedly acting as intermediaries between North Korean nationals and American companies (see: US FBI Busts North Korean IT Worker Employment Scams).
Moonstone Sleet hackers have deployed a new custom ransomware variant that Microsoft dubs "FakePenny." The group is hardly the first Hermit Kingdom hacking group to maliciously encrypt files and demand extortion, but its rates appear higher than previous examples. In one case, the hackers demanded $6.6 million in bitcoin, Microsoft said.
North Korea has a well-established history of hacking for profit. The United Nations reportedly suspects the country of launching 58 cyberattacks between 2017 and 2023 to steal approximately $3 billion to further weapons of mass destruction development.
Moonstone Sleet's arsenal of tactics, techniques and procedures shows significant overlap with those of other North Korean threat actors. Initially, the actor displayed similarities with Diamond Sleet, also known as the Lazarus Group, by reusing code and techniques to gain access to organizations.
Moonstone Sleet has since developed its own infrastructure and attacks, establishing itself as a distinct, well-resourced threat actor.
In early August, Moonstone Sleet began delivering a Trojanized version of PuTTY via platforms such as LinkedIn and Telegram. The actor sent targets a .zip
archive containing a Trojanized version of putty.exe
and a URL with an IP address and password. When users entered these details, the application decrypted and executed an embedded payload, initiating a multistage malware execution process.
Moonstone Sleet also targeted potential victims through malicious npm packages delivered via freelancing websites or platforms such as LinkedIn. In one instance, the actor used a fake company to send .zip
files containing a malicious npm package disguised as a technical skills assessment. This package connected to an actor-controlled IP and dropped additional malicious payloads such as SplitLoader.
Moonstone Sleet has infected devices using a malicious tank game called DeTankWar. The actor approached targets through messaging platforms or email, posing as a game developer seeking investment or developer support. The game, once launched, loaded additional malicious DLLs, executing custom malware loader YouieLoad, which facilitated network and user discovery and browser data collection.
The threat actor has targeted sectors including software and information technology, education and the defense industrial base. The group compromised a defense technology company and a drone technology company, using stolen credentials and intellectual property to further its objectives.
The operators behind Moonstone Sleet created several fake companies, impersonating software development and IT services, particularly in blockchain and AI.
It used the fake companies, such as StarGlow Ventures and C.C.Waterfall, to contact potential targets through email campaigns and social media.
From January to April, North Korean hackers used StarGlow Ventures to pose as a legitimate software development company, targeting organizations in the education and software development sectors.
The actor used a custom domain, fake employee personae and social media accounts to add legitimacy.
In a similar campaign, Moonstone Sleet used C.C.Waterfall, a supposed IT consulting organization, to email higher education organizations, claiming to be hiring new developers or seeking business collaboration opportunities. It also used C.C.Waterfall branding to distribute DeTankWar.