CyberSecurityBoard
Sponsor Register Login

Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks

Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet, that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for its financial and cyberespionage objectives.
Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a malicious game, and deliver a new custom ransomware.
Moonstone Sleet uses tactics, techniques, and procedures also used by other North Korean threat actors over the last several years, highlighting the overlap among these groups.
When Microsoft first detected Moonstone Sleet activity, the actor demonstrated strong overlaps with Diamond Sleet, extensively reusing code from known Diamond Sleet malware like Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software.
Moonstone Sleet then quickly shifted to its own bespoke infrastructure and attacks, establishing itself as a distinct, well-resourced North Korean threat actor.
Moonstone Sleet is a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean state-aligned and uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies.
Subsequently, Microsoft has observed Moonstone Sleet and Diamond Sleet conducting concurrent operations, with Diamond Sleet still utilizing much of its known, established tradecraft.
In April 2024, Microsoft observed Moonstone Sleet delivering a new custom ransomware variant we have named FakePenny against a company it previously compromised in February.
Since January 2024, Microsoft has observed Moonstone Sleet creating several fake companies impersonating software development and IT services, typically relating to blockchain and AI. The actor has used these companies to reach out to potential targets, using a combination of created websites and social media accounts to add legitimacy to their campaigns.
In the emails Moonstone Sleet sent as part of this campaign, the actor complimented the work of the targeted organization and offered collaboration and support for upcoming projects, citing expertise in the development of web apps, mobile apps, blockchain, and AI. These emails also contained a 1×1 tracking pixel, which likely enabled Moonstone Sleet to track which targets engaged with the emails, and a link to a dummy unsubscribe page hosted on the StarGlow Ventures domain.
In this campaign, Moonstone Sleet emailed higher education organizations, claiming the company was either hiring new developers or looking for business collaboration opportunities.
As previously mentioned, Moonstone Sleet also used C.C. Waterfall to contact targets and invite them to download the actor's tank game, highlighting that this is a coordinated and concerted effort for which Moonstone Sleet can leverage multiple facets of its operations in overlapping campaigns.
Moonstone Sleet's diverse set of tactics is notable not only because of their effectiveness, but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives.
Moonstone Sleet's addition of ransomware to its playbook, like another North Korean threat actor, Onyx Sleet, may suggest it is expanding its set of capabilities to enable disruptive operations.
Moonstone Sleet's ability to conduct concurrent operations across multiple campaigns suggests this threat actor may be well-resourced.
Given that Moonstone Sleet's initial attacks mirrored Diamond Sleet methodologies and heavily reused Diamond Sleet's code in their payloads, Microsoft assesses this actor is equipped with capabilities from prior cyber operations conducted by other North Korean actors.
Microsoft has identified several techniques used by Moonstone Sleet that have previously been used by other North Korean threat actors.
While Microsoft has not yet identified any Moonstone Sleet supply chain attacks, the actor has extensively targeted software development firms in its campaigns.
Despite being new, Moonstone Sleet has demonstrated that it will continue to mature, develop, and evolve, and has positioned itself to be a preeminent threat actor conducting sophisticated attacks on behalf of the North Korean regime.
Microsoft Sentinel customers can also use the following query, which looks for Microsoft Defender AV detections related to the Moonstone Sleet.


This Cyber News was published on www.microsoft.com. Publication date: Wed, 29 May 2024 17:43:05 +0000


Cyber News related to Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks

Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks - Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet, that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for ...
1 month ago Microsoft.com
Unmasking Moonstone Sleet: A Deep Dive into North Korea's Latest Cyber Threat - Moonstone Sleet: A New North Korean Threat Actor Microsoft discovered a new North Korean threat actor, Moonstone Sleet, who targets companies with a combination of tried-and-true techniques used by other North Korean threat actors as well as unique ...
1 month ago Cysecurity.news
Microsoft: 'Moonstone Sleet' APT Melds Espionage, Financial Goals - Researchers at Microsoft have identified a North Korean threat group carrying out espionage and financial cyberattacks concurrently, using a grab bag of different attack techniques against aerospace, education, and software organizations and ...
1 month ago Darkreading.com
Microsoft links North Korean hackers to new FakePenny ransomware - Microsoft has linked a North Korean hacking group it tracks as Moonstone Sleet to FakePenny ransomware attacks, which have led to millions of dollars in ransom demands. While this threat group's tactics, techniques, and procedures largely overlapped ...
1 month ago Bleepingcomputer.com
North Korea's state hackers stole $3 billion in crypto since 2017 - North Korean-backed state hackers have stolen an estimated $3 billion in a long string of hacks targeting the cryptocurrency industry over the last six years since January 2017. Kimsuky, Lazarus Group, Andariel, and other North Korean hacking groups ...
7 months ago Bleepingcomputer.com
Moonstone Sleet: A new North Korean threat actor - Microsoft has named yet another state-aligned threat actor: Moonstone Sleet, which engages in cyberespionage and ransomware attacks to further goals of the North Korean regime. Delivered a trojanized version of PuTTY via LinkedIn, Telegram, and ...
1 month ago Helpnetsecurity.com
Microsoft uncovers North Korea Moonstone Sleet - Microsoft Threat Intelligence teams recently uncovered a novel collective of hackers known as Moonstone Sleet, also identified as Storm-1789. This group has been engaging in a variety of tactics aimed at maintaining their activity and funding the ...
1 month ago Cybersecurity-insiders.com
macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks - North Korean advanced persistent threat groups are mixing and matching components of two recently unleashed types of Mac-targeted malware to evade detection and fly under the radar as they continue their efforts to conduct operations at the behest of ...
7 months ago Darkreading.com
US govt sanctions North Korea's Kimsuky hacking group - The Treasury Department's Office of Foreign Assets Control has sanctioned the North Korean-backed Kimsuky hacking group for stealing intelligence in support of the country's strategic goals. OFAC has also sanctioned eight North Korean agents for ...
7 months ago Bleepingcomputer.com
North Korean Hackers Use Fake Job Offers & Salary Bumps as Lure for Crypto Theft - Recent investigations have uncovered a massive operation carried out by North Korean hackers looking to steal cryptocurrency through fake job offers and salary bumps. According to recent reports, hackers have been able to trace the malicious ...
1 year ago Therecord.media
Microsoft: BlueNoroff hackers plan new crypto-theft attacks - Microsoft warns that the BlueNoroff North Korean hacking group is setting up new attack infrastructure for upcoming social engineering campaigns on LinkedIn. This financially motivated threat group also has a documented history of cryptocurrency ...
7 months ago Bleepingcomputer.com
North Korean Hackers Utilizing Credential Stuffing to Launch Cyberattacks - In an alarming new report, researchers found that North Korean-linked hackers have been using stolen passwords during cyberattacks to gain access to various government, military and financial networks. According to security experts, the creative ...
1 year ago Thehackernews.com
Woman Accused of Helping North Korean IT Workers Infiltrate Hundreds of US Firms - The US government has announced charges, seizures, arrests and rewards as part of an effort to disrupt a scheme in which North Korean IT workers infiltrated hundreds of companies and earned millions of dollars for North Korea. According to the ...
1 month ago Securityweek.com
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
6 months ago Feeds.fortinet.com
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor's Activity - By analyzing tools, logs and artifacts left open to the internet, we were able to profile the threat actor and their victims. After analyzing the artifacts we can conclude with moderate confidence that the majority of the threat actor activity ...
6 months ago Thedfirreport.com
FBI Charges North Korean Hackers Over $100 Million Stolen in Crypto Hack - The FBI has recently charged a North Korean hacker in connection with the Harmony crypto hack from which the hacker allegedly stole over $100 million. The hacker, Jon Chang Hyok, is a member of the North Korean military intelligence agency, the ...
1 year ago Bleepingcomputer.com
Microsoft: Lazarus hackers breach CyberLink in supply chain attack - Microsoft says a North Korean hacking group has breached Taiwanese multimedia software company CyberLink and trojanized one of its installers to push malware in a supply chain attack targeting potential victims worldwide. According to Microsoft ...
7 months ago Bleepingcomputer.com
Experts from the United Nations Report North Korean Hackers Have Taken a Large Amount of Digital Assets - Last year, North Korean hackers working for the government stole a record-breaking amount of virtual assets estimated to be worth between $630 million and more than $1 billion, according to a new report from U.N. experts. The panel of experts said ...
1 year ago Securityweek.com
Windows Incident Response: Human Behavior In Digital Forensics, pt III - Digital forensics can provide us insight into a threat actor's sophistication and situational awareness, which can, in turn, help us understand their intent. Observing the threat actor's actions helps us understand not just their intent, but what ...
5 months ago Windowsir.blogspot.com
North Korea's ScarCruft Attackers Gear Up to Target Cybersecurity Pros - ScarCruft, the North Korea-sponsored advanced persistent threat group, is gearing up for targeted attacks on cybersecurity researchers and other members of the threat intelligence community - likely in a bid to steal nonpublic threat intel and ...
5 months ago Darkreading.com
North Korean Hackers Attacked Indian Medical and Energy Companies - The North Korean military's notorious hacking arm, known as the Lazarus Group, has been accused of targeting public and private sector research organizations, an Indian medical research company, and other businesses in the energy sector. Security ...
1 year ago Therecord.media
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol host, leading to data exfiltration and the deployment of Trigona ransomware. On Christmas Eve, within just three hours of gaining initial access, ...
5 months ago Thedfirreport.com
Week in review: Attackers trying to access Check Point VPNs, NIST CSF 2.0 security metrics evolution - RansomLord: Open-source anti-ransomware exploit toolRansomLord is an open-source tool that automates the creation of PE files, which are used to exploit ransomware pre-encryption. Attackers are probing Check Point Remote Access VPN devicesAttackers ...
1 month ago Helpnetsecurity.com
New Tool Set Found Used Against Organizations in the Middle East, Africa and the US - Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. We will discuss a set of tools used in the course of the attacks that reveal clues about the threat actors' activity. We ...
7 months ago Unit42.paloaltonetworks.com
North Korean hackers exploit critical TeamCity flaw to breach networks - Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. In September, TeamCity fixed a critical ...
7 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)