A new North Korean threat actor has been targeting education, defense industrial base, and software and IT organizations for espionage and revenue generation, Microsoft reports.
Tracked as Moonstone Sleet (formerly Storm-1789), the state-sponsored group has been combining tactics, techniques, and procedures (TTPs) employed by other North Korean threat actors with its unique methodologies, and has established itself as a well-resourced adversary.
“Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a malicious game, and deliver a new custom ransomware,” Microsoft says.
When initially discovered, the group showed strong overlaps with Diamond Sleet (also known as Zinc), which is believed to be a sub-group of the notorious Lazarus, but has since moved to its own infrastructure, engaging in an expansive set of operations.
This year, Moonstone Sleet has been observed creating fake companies posing as software development and IT services organizations, including StarGlow Ventures and C.C. Waterfall, and pursuing employment in software development positions at legitimate companies.
Since August 2023, the threat actor has been using a trojanized version of PuTTY in attacks, the SplitLoader installer/dropper, malicious npm packages, a custom malicious tank game, the YouieLoad and SplitLoader malware loaders, and a custom ransomware called FakePenny.
To distribute its malicious payloads, Moonstone Sleet has been using applications such as LinkedIn and Telegram, as well as developer freelancing platforms or email.
The group has been investing numerous resources in building fake identities to support its malware delivery tactics, and used the fake companies to engage with potential targets.
Moonstone Sleet’s malicious payloads were designed to perform network and user discovery and to collect data from browsers, and the group has also launched hands-on-keyboard commands to perform reconnaissance and credential theft.
In April 2024, the threat actor deployed the FakePenny ransomware against an organization compromised in February and demanded a 100 bitcoin (roughly $6.6 million) ransom. The ransom note closely resembled the one used in NotPetya attacks, Microsoft says.
In addition to individuals and organizations in the education, defense industrial base, and software and information technology sectors, the threat actor was also seen compromising a drone technology company and an aircraft parts manufacturer.
“Moonstone Sleet’s diverse set of tactics is notable not only because of their effectiveness, but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives,” Microsoft points out.
Related: Woman Accused of Helping North Korean IT Workers Infiltrate Hundreds of US Firms
Related: US Says North Korean Hackers Exploiting Weak DMARC Settings
Related: South Korea Says Presumed North Korean Hackers Breached Personal Emails of Presidential Staffer
