Microsoft has revealed the existence of a new North Korean threat actor, dubbed Moonstone Sleet.
Previously tracked as Storm-1789, a denomination used by the tech giant for uncategorized malicious activity clusters, Moonstone Sleet has been active since at least early August 2023.
Until now, the threat actor demonstrated substantial overlaps with Diamond Sleet, another North Korean group.
“[Moonstone Sleet] was extensively reusing code from known Diamond Sleet malware like Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software,” Microsoft explained in their report published on May 28.
Overlaps are common within the North Korean threat landscape, inside of which almost all threat groups work for the same cause: serving the regime. This leads some cyber threat intelligence researchers to attribute any malicious activity from a North Korean group to the umbrella group Lazarus.
Moonstone Sleet’s Techniques, Tactics and Procedures
Moonstone Sleet has shifted to its own bespoke infrastructure and attacks, prompting Microsoft to attribute the group a unique name.
To compromise its victims’ IT systems, Moonstone Sleet employs a combination of tried-and-tested and new techniques, including setting up fake companies and job opportunities to engage with potential targets, deploying trojanized versions of legitimate tools and creating malicious games.
The group also delivers its own custom ransomware.
Trojanized Legitimate Tools
One of the earliest Moonstone Sleet strategies detected by Microsoft dates back to August 2023, when the threat actor was observed delivering a trojanized version of PuTTY, an open-source terminal emulator, via apps like LinkedIn and Telegram as well as developer freelancing platforms.
No tags.
