A North Korean threat actor has been discovered targeting organizations in the software and information technology, education and defense industrial base sectors with both espionage and ransomware cyberattacks.
The group, which researchers called Moonstone Sleet in accordance with Microsoft’s threat actor naming taxonomy, uses a diverse and effective range of techniques, including some that are unique and others that have been previously leveraged by North Korean threat groups. Over the past nine months, the group has delivered a new, custom ransomware family that researchers called FakePenny, as well as malware with the capabilities of loading additional payloads, stealing credentials and more.
“Moonstone Sleet has an expansive set of operations supporting its financial and cyberespionage objectives,” according to Microsoft’s threat intelligence team in a Tuesday analysis. “These range from deploying custom ransomware to creating a malicious game, setting up fake companies, and using IT workers.”
Researchers have observed the threat group’s activities going back to last year, when attackers leveraged trojanized versions of the open-source terminal emulator PuTTY in August 2023. The malicious versions were delivered via social media apps like LinkedIn and Telegram, or via developer freelancing programs, said researchers, and they infected victims with custom malware loaders. Other initial access vectors used by the threat group include malicious npm packages, also spread through platforms like LinkedIn or freelancing sites, which were used to infect victims with loaders that downloaded additional payloads or enabled credential theft from the Windows Local Security Authority Subsystem Service (LSASS) process.
The threat group in February 2024 was observed targeting devices by purporting to be a game developer or a fake company, named C.C. Waterfall, contacting targets and convincing them to download a malicious game that it had developed, called DeTankWar. When launched, the malicious game downloaded a custom malware loader (tracked as YouieLoad) that enabled network and user discovery, browser data collection and credential theft. These types of campaigns show how the threat group put time and resources into creating fake personas to trick its targets, in a move that is indicative of broader efforts by Moonstone Sleet to create fake companies that impersonate software development or IT services, especially those related to blockchain and AI, in order to add legitimacy to its attacks.
“Despite being new, Moonstone Sleet has demonstrated that it will continue to mature, develop, and evolve, and has positioned itself to be a preeminent threat actor conducting sophisticated attacks on behalf of the North Korean regime."
“In this campaign, Moonstone Sleet typically approaches its targets through messaging platforms or by email, presenting itself as a game developer seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies,” according to the threat analysis. “To bolster the game’s superficial legitimacy, Moonstone Sleet has also created a robust public campaign that includes the websites detankwar[.]com and defitankzone[.]com, and many X (Twitter) accounts for the personas it uses to approach targets and for the game itself.”
Researchers discovered the group in April 2024 delivering the FakePenny ransomware family against a defense technology company, which it had previously compromised two months prior in an attack that initially stole credentials and IP. In that specific attack, the group asked for a $6.6 million ransom payment in bitcoin, which researchers noted was much higher than ransom payments of previous ransomware attacks linked back to North Korean actors, such as those linked to WannaCry 2.0.
“Microsoft assesses that Moonstone Sleet’s objective in deploying the ransomware is financial gain, suggesting the actor conducts cyber operations for both intelligence collection and revenue generation,” said researchers. “Of note, the ransomware note dropped by FakePenny closely overlaps with the note used by Seashell Blizzard in its malware NotPetya.”
The group has found success leveraging tried-and-true capabilities used by other North Korean actors. For instance, the group’s initial campaigns heavily relied on methods previously used by North Korean group Zinc (also known as Diamond Sleet), such as the use of social media to deliver trojanized software, and the reuse of code from Zinc’s Comebacker malware. The use of malicious npm packages to target software developers is another tactic that has been used by North Korean actors such as Storm-1877 and TraderTraitor. Microsoft researchers also said that the new group comes at a notable time for North Korea, as it has made several changes in its foreign relations strategy. Last year, North Korea closed several embassies across the world, for instance.
“Despite being new, Moonstone Sleet has demonstrated that it will continue to mature, develop, and evolve, and has positioned itself to be a preeminent threat actor conducting sophisticated attacks on behalf of the North Korean regime,” said researchers.