The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

New North Korean Threat Actor Group Moonstone Sleet

Jun 7, 2024 12:58:01 PM / by The Hivemind

NEW NORTH KOREANRelated Families: SplitLoader, YouieLoad
Verticals Targeted: Education, Software, Information Technology, Defense, Aerospace

Executive Summary

Moonstone Sleet is a newly identified North Korea nexus threat actor group. The group leverages a combination of commonly used North Korean threat actor TTPs, along with their own unique attack methodologies.

Key Takeaways

  • Moonstone Sleet is a newly identified North Korea nexus threat actor group.
  • The group leverages a combination of commonly used North Korean threat actor TTPs, along with their own unique attack methodologies.
  • Moonstone Sleet’s TTPs include setting up fake companies and job opportunities to lure potential targets, leveraging trojanized versions of legitimate tools, leveraging a malicious but otherwise fully functional game, and custom ransomware. 

Who is Moonstone Sleet?

Microsoft recently reported on Moonstone Sleet, a new North Korean threat actor group. The group was previously tracked as Storm-1789. Moonstone Sleet leverages a combination of commonly used North Korean threat actor TTPs, along with their own unique attack methodologies. The group appears to be driven by both financial gain and espionage objectives.  

When Moonstone Sleet activity was first observed, they were using TTPs that overlapped with those of  Diamond Sleet/Lazarus Group. However, the group soon shifted to its own unique set of TTPs. Moonstone Sleet’s TTPs include setting up fake companies and job opportunities to lure potential targets, leveraging trojanized versions of legitimate tools, leveraging a malicious but otherwise fully functional game, and custom ransomware. 

Moonstone Sleet has been observed using a Trojanzied version of PuTTY distributed via LinkedIn, Telegram, and other platforms to drop the SplitLoader payload. This technique is very similar to one previously used by Diamond Sleet. The group has also been observed leveraging projects containing malicious npm packages, distributed via LinkedIn and freelancing sites, to deliver malicious payloads.

Moonstone Sleet was observed as early as February 2024 using a malicious tank game to infect devices. The fully functional game was known as DeTankWar and was presented as a blockchain related project. To distribute the game, the threat actors posed as game developers and approached potential targets. This elaborate campaign seemed legitimate due to the threat actors creating social media accounts for both the game and the “developers” who were social engineering the targets. When the users launched the game, malicious DLLs were also loaded. The game delivered a custom malware loader known as YouieLoad. 

Moonstone Sleet’s custom ransomware, known as FakePenny, was observed in the wild as early as April 2024. Microsoft noted the ransom note used for FakePenny was similar to the one used by NotPetya. The threat actors targeted a previously compromised company with FakePenny, demanding a $6.6 million USD ransom, to be paid in Bitcoin.

Moonstone Sleet has also been observed using fake companies, often in the software development and IT services industries and relating to blockchain and AI technology, for social engineering. As with the DeTankWar, the threat actors created social media accounts and websites to make the companies appear to be legitimate entities. 

From January to April 2024, the threat actors used the fake company StarGlow Ventures to target entities in the education and software development verticals with email communications. In another campaign, the threat actors used a fake company called C.C. Waterfall, posing as an IT consulting company. Again the threat actors targeted education sector entities. While these campaigns did not deliver malware, they were apparently used to establish rapport with the targets for follow on engagement. In some cases, the threat actors used these interactions to convince a victim to download the DeTankWar game. 

IOCs

PolySwarm has multiple samples associated with Moonstone Sleet activity.

 

F59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc58 

Cb97ec024c04150ad419d1af2d1eb66b5c48ab5f345409d9d791db574981a3fb

39d7407e76080ec5d838c8ebca5182f3ac4a5f416ff7bda9cbc4efffd78b4ff5

Cafaa7bc3277711509dc0800ed53b82f645e86c195e85fbf34430bbc75c39c24

9863173e0a45318f776e36b1a8529380362af8f3e73a2b4875e30d31ad7bd3c1

09d152aa2b6261e3b0a1d1c19fa8032f215932186829cfcca954cc5e84a6cc38

 

You can use the following CLI command to search for all Moonstone Sleet samples in our portal:

$ polyswarm link list -t MoonstoneSleet

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, North Korea, MoonstoneSleet, YouieLoad, Threat Actor Profile, SplitLoader

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More