A never-before-seen North Korean threat actor codenamed Moonstone Sleet has been attributed as behind cyber attacks targeting individuals and organizations in the software and information technology, education, and defense industrial base sectors with ransomware and bespoke malware previously associated with the infamous Lazarus Group.
"Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a malicious game, and deliver a new custom ransomware," the Microsoft Threat Intelligence team claimed in a recent report.
It also classified the threat actor as utilizing a mix of tried-and-true approaches utilized by other North Korean threat actors and novel attack methodologies to fulfill its strategic goals.
The adversary, hitherto tracked by Redmond under the emerging cluster moniker Storm-1789, is assessed to be a state-aligned group that originally exhibited strong tactical overlaps with the Lazarus Group (aka Diamond Sleet), before establishing its own distinct identity through separate infrastructure and tradecraft.
The parallels with Lazarus include significantly copying code from known malware such as Comebacker, which was first spotted in January 2021 in relation with a campaign targeting security experts working on vulnerability research and development.
Comebacker was put to use by the Lazarus Group as recently as this February, embedding it into apparently harmless Python and npm packages to establish communication with a command-and-control (C2) server to obtain more payloads.
To support its numerous purposes, Moonstone Sleet is also known to solicit employment in software development roles at several genuine enterprises, perhaps in an effort to create illicit income for the sanctions-hit nation or acquire clandestine access to organizations.
Attack chains discovered in August 2023 included the use of a modified version of PuTTY — a strategy pioneered by the Lazarus Group in late 2022 as part of Operation Dream Job – via LinkedIn and Telegram as well as developer freelancing networks.
"Often, the actor sent targets a .ZIP archive containing two files: a trojanized version of putty.exe and url.txt, which contained an IP address and a password," Microsoft added. "If the provided IP and password were entered by the user into the PuTTY application, the application would decrypt an embedded payload, then load and execute it."
The trojanized PuTTY executable is meant to drop a custom installer named SplitLoader that begins a number of intermediary steps in order to finally run a Trojan loader that's responsible for executing a portable executable received from a C2 server.
Alternate attack sequences have involved the deployment of malicious npm packages that are supplied via LinkedIn or freelance websites, frequently posing as a phony organization to transmit .ZIP files executing a malicious npm package under the pretext of a technical skills evaluation.
These npm packages are designed to connect to an actor-controlled IP address and dump payloads similar to SplitLoader, or allow credential theft from the Windows Local Security Authority Subsystem Service (LSASS) process.
It's worth mentioning that the targeting of npm developers using counterfeit packages has been related with a campaign previously disclosed by Palo Alto Networks Unit 42 under the moniker Contagious Interview (aka DEV#POPPER). Microsoft is recording the behavior under the designation Storm-1877.
Michael Sikorski, vice president and CTO of Unit 42, told The Hacker News that they are currently performing study, but observed that there is no "direct overlap" between Moonstone Sleet and Contagious Interview.
Rogue npm packages have also been a malware distribution channel for another North Korea-linked organization nicknamed Jade Sleet (aka TraderTraitor and UNC4899), which has been involved in the JumpCloud attack last year.
Other attacks detected by Microsoft since February 2024 have utilized a malicious tank game called DeTankWar (aka DeFiTankWar, DeTankZone, and TankWarsZone) that's distributed to targets via email or messaging platforms, while lending a layer of legitimacy by setting up fake websites and accounts on X (formerly Twitter).
"Moonstone Sleet typically approaches its targets through messaging platforms or by email, presenting itself as a game developer seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies," Microsoft researchers stated.
"Moonstone Sleet employed a fictitious corporation named C.C. Waterfall to contact targets. The email framed the game as a blockchain-related project and offered the target the option to contribute, with a link to download the game included in the body of the message."
The alleged game ("delfi-tank-unity.exe") is loaded with a malware loader known to as YouieLoad, which is capable of loading next-stage payloads in memory and launching malicious services for network and user discovery and browser data collecting.
Another non-existent company – complete with a custom domain, fake employee personas, and social media accounts – created by Moonstone Sleet for its social engineering campaigns is StarGlow Ventures, which masqueraded as a legitimate software development company to reach out to prospective targets for collaboration on projects related to web apps, mobile apps, blockchain, and AI.
While the end of this campaign, which took place from January to April 2024, is unclear, the fact that the email messages came embedded with a tracking pixel raises the possibility that it may have been used as part of a trust-building exercise and determine which of the recipients engaged with the emails for future revenue generation opportunities.
The newest weapon in the adversary's armory is a unique ransomware version dubbed FakePenny that it has been identified used against an undisclosed military technology business in April 2024 in return for a $6.6 million ransom in Bitcoin.
The deployment of ransomware is another approach drawn right out of Andariel's (aka Onyx Sleet) playbook, a sub-group working inside the Lazarus umbrella renowned for ransomware families like H0lyGh0st and Maui.
In addition to adopting necessary security measures to defend against attacks by the threat actor, Redmond is urging software companies to be on the lookout for supply chain attacks, given North Korean hacking groups' propensity for poisoning the software supply chain to conduct widespread malicious operations.
"Moonstone Sleet's diverse set of tactics is notable not only because of their effectiveness, but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives," the firm claimed.
The disclosure comes as South Korea accused its northern counterpart, particularly the Lazarus Group, of stealing 1,014 gigabytes of data and documents such as names, resident registration numbers, and financial records from a court network from January 7, 2021, to February 9, 2023, Korea JoongAng Daily reported earlier this month.
(The report was revised after publication on June 1, 2024, to incorporate a response from Palo Alto Networks Unit 42 concerning Contagious Interview.)