HomeCII/OTThe MoonPeak RAT: A Persistently Changing Tool Connected to North Korean Espionage

The MoonPeak RAT: A Persistently Changing Tool Connected to North Korean Espionage

Published on

spot_img

A new variant of the XenoRAT information-stealing malware, dubbed MoonPeak, has been identified by researchers at Cisco Talos. This variant is believed to be linked to North Korea’s Kimsuky group and is being distributed through a complex infrastructure of command-and-control (C2) servers, staging systems, and test machines.

MoonPeak, which has been actively evolving over the past few months, poses a significant challenge for detection and identification due to its constant development and incremental changes. While the core functionalities of MoonPeak remain similar to the original XenoRAT, the threat actors have been consistently modifying and updating the code independently, making it harder to track and analyze.

XenoRAT, an open source malware coded in C#, was made available for free on GitHub last October. It is equipped with various powerful capabilities, including keylogging, User Access Control (UAC) bypass, and a Hidden Virtual Network Computing feature that allows threat actors to discreetly access a compromised system concurrently with the victim.

Cisco Talos has linked the MoonPeak variant to a state-sponsored North Korean threat actor group identified as UAT-5394, which has been using the malware in attacks earlier this year. The tactics, techniques, and infrastructure of this group bear resemblance to the Kimsuky group, known for its espionage activities targeting organizations involved in nuclear weapons research and policy.

The similarities between UAT-5394 and Kimsuky led Cisco Talos to speculate that the observed activity cluster could either be the Kimsuky group itself or another North Korean APT utilizing Kimsuky’s infrastructure. In light of this, the security vendor has chosen to track UAT-5394 as an independent North Korean advanced persistent threat (APT) group for the time being.

Analysis conducted by Cisco Talos on the MoonPeak variant revealed several modifications to the XenoRAT code while maintaining its core functions. One significant change was the alteration of the client namespace from “xeno rat client” to “cmdline” to prevent other XenoRAT variants from connecting to a MoonPeak server. This modification also aimed to prevent rogue implants from connecting to the infrastructure.

In addition to code modifications, the threat actor behind MoonPeak has been continuously refining its infrastructure. Following the disclosure of an earlier XenoRAT variant used by UAT-5394, the threat actor shifted from public cloud services to privately owned and controlled systems for hosting C2 servers, staging, and testing the malware. These changes are intended to make the analysis and detection of MoonPeak more challenging for security researchers.

Overall, the evolving nature of the MoonPeak malware and the constant adjustments to its C2 infrastructure demonstrate a sophisticated and determined threat actor. The goal appears to be to enhance the malware’s evasion techniques and ensure that specific variants only function with designated C2 servers, making it increasingly difficult to thwart their malicious activities.

Source link

Latest articles

AI-Generated Ransomware Exploits Chromium API on Windows and Android

Emergence of Browser-Only Ransomware Marks a New Era in Cyber Threats Cybersecurity researchers have identified...

Sandbox Bypass Vulnerabilities in Cursor IDE Spotlight Prompt Injection as a RCE Vector

Cursor, a prominent software company recently acquired by SpaceX for a staggering $60 billion...

Quantum Breakthroughs Compress Post-Quantum Computing Timeline

Next-Generation Technologies & Secure Development Microsoft, Google and AWS cite major...

TLS Certificate Lifetime Changes: Essential Actions for CISOs

Organizations Face Urgent TLS Certificate Management Challenges as Expiration Timelines Tighten As organizations increasingly navigate...

More like this

AI-Generated Ransomware Exploits Chromium API on Windows and Android

Emergence of Browser-Only Ransomware Marks a New Era in Cyber Threats Cybersecurity researchers have identified...

Sandbox Bypass Vulnerabilities in Cursor IDE Spotlight Prompt Injection as a RCE Vector

Cursor, a prominent software company recently acquired by SpaceX for a staggering $60 billion...

Quantum Breakthroughs Compress Post-Quantum Computing Timeline

Next-Generation Technologies & Secure Development Microsoft, Google and AWS cite major...