Researchers at Microsoft have recently uncovered a North Korean threat group, known as Moonstone Sleet, engaging in a dual threat of espionage and financial cyberattacks across various sectors. This emerging group has been using a blend of attack techniques to target aerospace, education, and software organizations, presenting a significant challenge for cybersecurity experts.
Initially, Moonstone Sleet shared many similarities with the known DPRK advanced persistent threat (APT) group Diamond Sleet, borrowing malware like the Comebacker Trojan and adopting similar infrastructure and techniques such as distributing Trojanized software through social media platforms. However, as time has passed, Moonstone Sleet has evolved into its own entity, utilizing its infrastructure and establishing a unique modus operandi, albeit somewhat erratic in nature.
Unlike other North Korean threat groups that typically focus solely on espionage or financial theft, Moonstone Sleet has been engaging in both activities simultaneously. This multifaceted approach is reflected in its tactics, techniques, and procedures (TTPs), which have included tactics like fake job offers, custom ransomware deployments, and even the creation of a fully functional fake video game as part of their cyber operations.
According to experts like Adam Gavish, co-founder and CEO of DoControl, Moonstone Sleet’s ability to merge traditional cybercriminal methods with those of nation-state actors is particularly concerning. Their diverse strategies, ranging from setting up fake companies to deliver ransomware to employing compromised tools for direct infiltration, showcase a level of versatility that poses challenges for defenders.
One noteworthy tactic employed by Moonstone Sleet is the use of trusted platforms such as LinkedIn and Telegram, as well as developer freelancing websites, to target victims. By exploiting the inherent trust associated with these platforms, the threat group can deceive victims into interacting with malicious content more easily. This strategy aligns with a common North Korean approach of engaging with victims from the perspective of legitimate entities.
In one example, Moonstone Sleet masqueraded as a software development company named “StarGlow Ventures,” complete with a custom domain, fictitious employees, and social media presence. This false front allowed the group to target numerous organizations in the software and education sectors by sending phishing emails offering collaboration on projects. In another instance, the threat group used another bogus company, C.C. Waterfall, to distribute a fake video game named “DeTankWar,” which contained malicious payloads disguised as game files.
The cyber defense landscape against Moonstone Sleet’s tactics is akin to playing a game of “whack-a-mole,” as the threat group continually evolves its techniques. From fake companies to malicious npm packages and custom ransomware, the group employs a wide range of tools and strategies to achieve its objectives. Defenders are urged to adopt a multi-layered security approach, combining endpoint protection, network monitoring, and threat hunting to detect and respond to anomalous activities promptly.
In light of the dynamic nature of evolving threats like Moonstone Sleet, cybersecurity experts emphasize the importance of a holistic and adaptive approach to defense. By balancing technical defenses with strategic intelligence and continuous vigilance, organizations can better combat the ever-changing tactics of sophisticated threat actors. Microsoft and other security firms are continually updating and enhancing their solutions to help organizations strengthen their cyber defenses and stay ahead of emerging threats like Moonstone Sleet.