Table of Contents
Moonstone Sleet is a relatively new North Korean threat actor that has rapidly gained notoriety in the cybersecurity landscape. Distinct from other DPRK-linked groups, Moonstone Sleet blends tactics associated with both financially motivated attackers and state-sponsored espionage operations. This dual focus makes them a particularly complex and dangerous adversary. Their operations involve deploying custom ransomware, establishing fake companies and job opportunities, and targeting a wide range of industries globally. Understanding their evolving tactics is crucial for effective defense.
Origins & Evolution
Moonstone Sleet was first identified and tracked by Microsoft in April 2023. While newly named, the group's activities suggest an operational history potentially predating this public identification. Microsoft assesses with high confidence that Moonstone Sleet is a North Korean state-sponsored actor. This assessment is based on observed infrastructure, tools, and techniques that overlap with other known DPRK-linked groups. However, it has clear distinctions as well.
Key aspects of Moonstone Sleet's evolution include:
Overlap and Divergence: Moonstone Sleet shares tactics, techniques, and procedures (TTPs) with other North Korean groups like Diamond Sleet (Lazarus Group) and Sapphire Sleet (Andariel). However, they also employ unique methods, particularly in their use of custom ransomware and elaborate social engineering schemes involving fake companies.
Shift in Tactics: Initially, Moonstone Sleet was observed deploying the FakePenny custom ransomware. More recently, they have expanded their operations to include creating Trojanized versions of legitimate tools, establishing fake companies to engage with potential victims, and conducting IT service fraud.
Possible Rebranding: There is low confidence that the group is a rebranding of a threat actor tracked as Storm-1789.
This continuous evolution and diversification of attack methods demonstrate Moonstone Sleet's adaptability and commitment to expanding its operational capabilities.
Tactics & Techniques
Moonstone Sleet employs a diverse range of tactics, showcasing both sophistication and a willingness to adapt their methods. Their operations can be broadly categorized into several key stages:
Initial Access: Moonstone Sleet utilizes various methods to gain initial access to victim networks:
* Supply Chain Attacks: They have been observed leveraging compromised legitimate software, creating Trojanized versions of tools like PuTTY and KiTTY.
* Social Engineering: The group creates fake companies and job postings to engage with targets, often through platforms like LinkedIn and Telegram. This elaborate deception is used to deliver malicious payloads or gain access to sensitive information.
* Exploitation of Known Vulnerabilities: Moonstone Sleet targets known vulnerabilities in internet-facing applications and services, such as vulnerable Siscos devices. One should always have a robust strategy for vulnerability assessments to stay ahead of threat actors.
Persistence: Once inside a network, Moonstone Sleet employs several techniques to maintain access:
* Custom Malware: They deploy custom malware, including the FakePenny ransomware and other custom backdoors.
* Scheduled Tasks: Malware is often installed and maintained via scheduled tasks.
* Registry Modification: The group modifies registry keys to ensure their malware persists even after reboots. More about Windows registry structure can be found online.
Lateral Movement: Moonstone Sleet actively moves laterally within compromised networks to identify and access high-value targets:
* Credential Theft: They use tools to steal credentials and gain access to other systems.
* Network Scanning: The group scans the network to discover additional targets and resources.
* Remote Desktop Protocol (RDP): RDP is used to move between systems within the network. It is crucial to learn more about Zero Trust Security to prevent such attacks.
Command and Control:
* Malware uses hardcoded C2 URLs or retrieves them from websites.
* Use of Telegram bots for C2 communications.
Impact:
* Deployment of FakePenny custom ransomware.
* In some intrusions, Moonstone Sleet deploys the RUNCALL ransomware, which is publicly available.
Data Exfiltration & Extortion: The ultimate goal of Moonstone Sleet's operations varies depending on the specific campaign.
* Financial Gain: They deploy ransomware and demand payment for decryption, often engaging in double extortion by threatening to release stolen data.
* If the victim does not pay the ransom, the attackers offer to sell the stolen data.
* Espionage: In some cases, their activities suggest a focus on gathering intelligence and stealing sensitive data, aligning with North Korea's broader strategic objectives.
Development of Tools:
* The group uses custom loaders to deploy their malware.
* New DLL loaders for delivering additional payloads.
* Development of malicious NPM packages. One must know about the risks of vulnerable components.
Targets or Victimology
Moonstone Sleet's targeting is broad, encompassing various industries and geographic regions. This wide scope reflects their dual motivations of financial gain and espionage:
Target Industries: Moonstone Sleet has been observed targeting:
* Software and technology companies
* Defense industrial base
* Educational institutions
* IT service providers
* Healthcare organizations
* Energy
Geographic Regions: While their operations are global, there is a particular focus on:
* United States
* South Korea
* Japan
* Russia
* Europe
Political Motivations: Moonstone Sleet's activities align with North Korea's broader strategic goals, which include:
* Generating revenue to circumvent international sanctions.
* Gathering intelligence on adversaries and strategic technologies.
* Disrupting critical infrastructure and services in target countries.
Potential Impact: Successful attacks by Moonstone Sleet can result in:
* Significant data breaches, exposing sensitive information.
* Operational disruption due to ransomware encryption.
* Financial losses from ransom payments and recovery costs.
* Reputational damage for targeted organizations.
* Theft of source code. More on this topic can be found at Microsoft Security Blog..
Attack Campaigns
Moonstone Sleet has been linked to several notable attack campaigns:
FakePenny Ransomware Deployment (2023): Early campaigns focused on deploying the custom FakePenny ransomware, targeting organizations globally. This established Moonstone Sleet as a financially motivated threat actor.
Trojanized Software (2023-2024): The group created and distributed Trojanized versions of legitimate software, such as PuTTY and KiTTY, through supply chain attacks. This demonstrated their ability to compromise widely used tools.
Fake Company and Job Offers (2023-Present): Moonstone Sleet established fake companies and created fraudulent job postings to engage with individuals in target industries. This social engineering campaign allowed them to deliver malicious payloads and gain access to sensitive systems. They contacted individuals on Telegram, offering them positions as developers.
IT Service Fraud (2024): The group engaged in IT service fraud, posing as legitimate IT professionals to gain access to networks and deploy malware.
Exploitation of Siscos Devices: Attacks on end-of-life Siscos devices using known vulnerabilities. One must implement a proper patch management strategy.
These campaigns highlight Moonstone Sleet's diverse and evolving tactics, showcasing their ability to adapt to different targets and environments.
Defenses
Defending against Moonstone Sleet requires a multi-layered approach that incorporates both proactive and reactive measures:
Strong Authentication and Access Controls:
* Enforce strong, unique passwords and multi-factor authentication (MFA) for all accounts, especially privileged accounts.
* Implement the principle of least privilege, limiting user access to only the resources necessary for their roles.
* Regularly review and update access controls to ensure they remain appropriate.
Network Segmentation:
* Segment the network to limit the lateral movement of attackers in case of a breach.
* Implement strict firewall rules to control traffic between network segments.
Vulnerability Management:
* Establish a robust vulnerability management program to identify and remediate known vulnerabilities in software and systems.
* Prioritize patching of internet-facing applications and services.
* Consider decommissioning or isolating end-of-life devices that cannot be patched.
Security Awareness Training:
* Conduct regular security awareness training for all employees, focusing on:
* Identifying and reporting phishing emails.
* Recognizing social engineering tactics.
* Safe browsing habits and avoiding suspicious downloads.
Endpoint Detection and Response (EDR):
* Deploy EDR solutions on all endpoints to detect and respond to malicious activity.
* Configure EDR to monitor for suspicious behaviors, such as unusual process executions, file modifications, and network connections.
Threat Intelligence:
* Leverage threat intelligence feeds to stay informed about the latest TTPs used by Moonstone Sleet and other threat actors.
* Use threat intelligence to proactively hunt for indicators of compromise (IOCs) within the network.
Incident Response Plan:
* Develop and regularly test an incident response plan to ensure a rapid and effective response to potential breaches.
* The plan should include procedures for containment, eradication, recovery, and post-incident activity. If you don't have one, learn why do you need a cyber incident response plan.
Supply Chain Security:
* Carefully vet all third-party software and vendors to ensure they meet security standards.
* Monitor for compromised software updates and apply patches promptly.
Specific Mitigations related to their TTPs
* Block network connections to compromised and malicious infrastructure.
* Require MFA for VPN and other remote access solutions.
* Monitor and audit identities and access to critical systems.
* Restrict or block the use of unapproved remote access software. You should use SOAR to make this automation.
Conclusion
Moonstone Sleet represents a significant and evolving threat, combining the characteristics of both financially motivated and state-sponsored actors. Their diverse tactics, broad targeting, and continuous adaptation make them a formidable adversary. Organizations must remain vigilant, proactively implementing robust security measures and staying informed about the latest threat intelligence to effectively defend against this emerging threat. The combination of financial and espionage motivations makes Moonstone Sleet a particularly dangerous actor, requiring a comprehensive and layered defense strategy.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
Ransomware Actors Exploit SSH Tunneling to Target VMware ESXi Hosts
Russian Gamaredon APT Deploys New Android Spyware Targeting Former Soviet States
Chinese APT Group Earth Estries Targets Critical Infrastructure with Advanced Cyber Attacks
DONOT APT Deploys Malicious Tanzeem Android Apps for Intelligence Gathering
Russian APT Earth Koshchei Exploits Red Team Tools in Massive RDP Campaign
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- February 22, 2025
- February 22, 2025
- February 22, 2025
- February 22, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- February 22, 2025
- February 22, 2025
- February 22, 2025
- February 22, 2025
