A never-before-seen North Korean threat actor codenamed Moonstone Sleet has been attributed as behind cyber attacks targeting individuals and organizations in the software and information technology, education, and defense industrial base sectors with ransomware and bespoke malware previously associated with the infamous Lazarus Group.
“Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a malicious game, and deliver a new custom ransomware,” the Microsoft Threat Intelligence team said in a new analysis.
It also characterized the threat actor as using a combination of tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to meet its strategic objectives.
The adversary, hitherto tracked by Redmond under the emerging cluster moniker Storm-1789, is assessed to be a state-aligned group that originally exhibited strong tactical overlaps with the Lazarus Group (aka Diamond Sleet), before establishing its own distinct identity through separate infrastructure and tradecraft.
The similarities with Lazarus include extensively reusing code from known malware such as Comebacker, which was first observed in January 2021 in connection with a campaign targeting security researchers working on vulnerability research and development.
Comebacker was put to use by the Lazarus Group as recently as this February, embedding it within seemingly innocuous Python and npm packages to establish contact with a command-and-control (C2) server to retrieve additional payloads.
To support its diverse goals, Moonstone Sleet is also known to pursue employment in software development positions at multiple legitimate companies, likely in an attempt to generate illicit revenue for the sanctions-hit country or gain covert access to organizations.
Attack chains observed in August 2023 involved the use of a modified version of PuTTY – a tactic adopted by the Lazarus Group in late 2022 as part of Operation Dream Job – via LinkedIn and Telegram as well as developer freelancing platforms.
“Often, the actor sent targets a .ZIP archive containing two files: a trojanized version of putty.exe and url.txt, which contained an IP address and a password,” Microsoft said. “If the provided IP and password were entered by the user into the PuTTY application, the application would decrypt an embedded payload, then load and execute it.”
The trojanized PuTTY executable is designed to drop a custom installer dubbed SplitLoader that initiates a sequence of intermediate stages in order to ultimately launch a Trojan loader that’s responsible for executing a portable executable received from a C2 server.
Alternate attack sequences have entailed the use of malicious npm packages that are delivered through LinkedIn or freelancing websites, often masquerading as a fake company to send .ZIP files invoking a malicious npm package under the guise of a technical skills assessment.
These npm packages are configured to connect to an actor-controlled IP address and drop payloads similar to SplitLoader, or facilitate credential theft from the Windows Local Security Authority Subsystem Service (LSASS) process.
It’s worth noting that the targeting of npm developers using counterfeit packages has been associated with a campaign previously documented by Palo Alto Networks Unit 42 under the name Contagious Interview (aka DEV#POPPER). Microsoft is tracking the activity under the name Storm-1877.
Michael Sikorski, vice president and CTO of Unit 42, told The Hacker News that they are still conducting analysis, but noted that there is no “direct overlap” between Moonstone Sleet and Contagious Interview.
Rogue npm packages have also been a malware delivery vector for another North Korea-linked group codenamed Jade Sleet (aka TraderTraitor and UNC4899), which has been implicated in the JumpCloud hack last year.
Other attacks detected by Microsoft since February 2024 have utilized a malicious tank game called DeTankWar (aka DeFiTankWar, DeTankZone, and TankWarsZone) that’s distributed to targets via email or messaging platforms, while lending a layer of legitimacy by setting up fake websites and accounts on X (formerly Twitter).
“Moonstone Sleet typically approaches its targets through messaging platforms or by email, presenting itself as a game developer seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies,” Microsoft researchers said.
“Moonstone Sleet used a fake company called C.C. Waterfall to contact targets. The email presented the game as a blockchain-related project and offered the target the opportunity to collaborate, with a link to download the game included in the body of the message.”
The purported game (“delfi-tank-unity.exe”) comes fitted with a malware loader referred to as YouieLoad, which is capable of loading next-stage payloads in memory and creating malicious services for network and user discovery and browser data collection.
Another non-existent company – complete with a custom domain, fake employee personas, and social media accounts – created by Moonstone Sleet for its social engineering campaigns is StarGlow Ventures, which masqueraded as a legitimate software development company to reach out to prospective targets for collaboration on projects related to web apps, mobile apps, blockchain, and AI.
While the end of this campaign, which took place from January to April 2024, is unclear, the fact that the email messages came embedded with a tracking pixel raises the possibility that it may have been used as part of a trust-building exercise and determine which of the recipients engaged with the emails for future revenue generation opportunities.
The latest tool in the adversary’s arsenal is a custom ransomware variant called FakePenny that it has been found deployed against an unnamed defense technology company in April 2024 in exchange for a $6.6 million ransom in Bitcoin.
The use of ransomware is another tactic pulled straight out of Andariel’s (aka Onyx Sleet) playbook, a sub-group operating within the Lazarus umbrella known for ransomware families like H0lyGh0st and Maui.
In addition to adopting necessary security measures to defend against attacks by the threat actor, Redmond is urging software companies to be on the lookout for supply chain attacks, given North Korean hacking groups’ propensity for poisoning the software supply chain to conduct widespread malicious operations.
“Moonstone Sleet’s diverse set of tactics is notable not only because of their effectiveness, but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives,” the company said.
The disclosure comes as South Korea accused its northern counterpart, particularly the Lazarus Group, of stealing 1,014 gigabytes of data and documents such as names, resident registration numbers, and financial records from a court network from January 7, 2021, to February 9, 2023, Korea JoongAng Daily reported earlier this month.
(The story was updated after publication on June 1, 2024, to include a comment from Palo Alto Networks Unit 42 about Contagious Interview.)
