Researchers at Microsoft have identified a North Korean threat group carrying out espionage and financial cyberattacks concurrently, using a grab bag of different attack techniques against aerospace, education, and software organizations and developers.
In the beginning, Microsoft explained in a blog post, Moonstone Sleet heavily overlapped with the known DPRK advanced persistent threat Diamond Sleet.
The former copped from the latter's malware - like the Comebacker Trojan - as well as its infrastructure and preferred techniques - such as delivering Trojanized software via social media.
Moonstone Sleet has since differentiated itself moving to its own infrastructure and establishing for itself a unique, if rather erratic identity.
For one thing, where some of Kim Jong-Un's threat groups focus on espionage and others focus on stealing money, Moonstone Sleet does both.
Having its hands in every pie is reflected in its tactics, techniques, and procedures, too, which in various cases have involved fake job offers, custom ransomware, and even a fully functional fake video game.
To add to the realism, Moonstone Sleet uses the common North Korean strategy of engaging with victims from the perspective of a seemingly legitimate company.
In phishing emails, the faux company complemented its victims and offered to collaborate on upcoming projects.
In other cases, the group used another fake company - C.C. Waterfall - to spread an especially creative ruse.
In emails from C.C. Waterfall since February, Moonstone Sleet has been reaching out to victims with a link to download a video game.
It has its own websites, and X accounts for fake personas used to promote it.
Remarkably, DeTankWar is a fully functional video game.
Whack-a-Mole Cyber Defense Fake companies and fake video games are just some of Moonstone Sleet's tricks.
Its members also try to get hired for remote tech jobs with real companies.
It spreads malicious npm packages on LinkedIn and freelancer websites.
It has its own ransomware, FakePenny, which it uses in conjunction with a ransom note ripped from NotPetya to solicit millions of dollars worth of Bitcoin.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 29 May 2024 20:50:12 +0000