A new variant of the XenoRAT information-stealing malware, dubbed MoonPeak, has been identified by researchers at Cisco Talos. This variant is believed to be linked to North Korea’s Kimsuky group and is being distributed through a complex infrastructure of command-and-control (C2) servers, staging systems, and test machines.
MoonPeak, which has been actively evolving over the past few months, poses a significant challenge for detection and identification due to its constant development and incremental changes. While the core functionalities of MoonPeak remain similar to the original XenoRAT, the threat actors have been consistently modifying and updating the code independently, making it harder to track and analyze.
XenoRAT, an open source malware coded in C#, was made available for free on GitHub last October. It is equipped with various powerful capabilities, including keylogging, User Access Control (UAC) bypass, and a Hidden Virtual Network Computing feature that allows threat actors to discreetly access a compromised system concurrently with the victim.
Cisco Talos has linked the MoonPeak variant to a state-sponsored North Korean threat actor group identified as UAT-5394, which has been using the malware in attacks earlier this year. The tactics, techniques, and infrastructure of this group bear resemblance to the Kimsuky group, known for its espionage activities targeting organizations involved in nuclear weapons research and policy.
The similarities between UAT-5394 and Kimsuky led Cisco Talos to speculate that the observed activity cluster could either be the Kimsuky group itself or another North Korean APT utilizing Kimsuky’s infrastructure. In light of this, the security vendor has chosen to track UAT-5394 as an independent North Korean advanced persistent threat (APT) group for the time being.
Analysis conducted by Cisco Talos on the MoonPeak variant revealed several modifications to the XenoRAT code while maintaining its core functions. One significant change was the alteration of the client namespace from “xeno rat client” to “cmdline” to prevent other XenoRAT variants from connecting to a MoonPeak server. This modification also aimed to prevent rogue implants from connecting to the infrastructure.
In addition to code modifications, the threat actor behind MoonPeak has been continuously refining its infrastructure. Following the disclosure of an earlier XenoRAT variant used by UAT-5394, the threat actor shifted from public cloud services to privately owned and controlled systems for hosting C2 servers, staging, and testing the malware. These changes are intended to make the analysis and detection of MoonPeak more challenging for security researchers.
Overall, the evolving nature of the MoonPeak malware and the constant adjustments to its C2 infrastructure demonstrate a sophisticated and determined threat actor. The goal appears to be to enhance the malware’s evasion techniques and ensure that specific variants only function with designated C2 servers, making it increasingly difficult to thwart their malicious activities.