A New MoonPeak Trojan Unleashed by North Korean State-Sponsored Hackers in Cyber Offensive
An innovative remote access trojan named MoonPeak has been unearthed as wielded by a state-endorsed North Korean threat faction within a fresh initiative.
The malevolent cyber offensive has been linked by Cisco Talos to a hacking collective known as UAT-5394, demonstrating some strategic overlaps with a recognized nation-state entity dubbed Kimsuky.
MoonPeak, currently in its developmental phase by the threat actor, represents a version of the open-source Xeno RAT malware, which was formerly utilized in phishing assaults aimed at retrieving payloads from actor-controlled cloud platforms like Dropbox, Google Drive, and Microsoft OneDrive.
Some prominent aspects of Xeno RAT include its capacity to upload extra plugins, commence and halt processes, and engage with a command-and-control (C2) server.
Talos remarked that the similarities between the two breach collections either imply that UAT-5394 is indeed Kimsuky (or a subdivision) or it’s an alternative hacking unit within the North Korean cyber domain that borrows tools from Kimsuky.
Crucial for the progression of the initiative is the utilization of fresh infrastructure, including C2 servers, locations for hosting payloads, and experimental virtual machines, which have been developed to spawn fresh renditions of MoonPeak.
“The C2 server furnishes malevolent artifacts for download, subsequently utilized to access and establish novel infrastructure to uphold this operation,” noted Talos researchers Asheer Malhotra, Guilherme Venere, and Vitor Ventura in an analysis published on Wednesday stated.
“On multiple instances, we also noticed the threat actor accessing existing servers to update their payloads and retrieve logs and information amassed from MoonPeak infections.”
The alteration indicates a shift away from using legitimate cloud storage services to establishing their own servers. Yet, the targets of the operation remain undisclosed.
An aspect of significance here is that “the continual evolution of MoonPeak is closely tied to new infrastructure built by the threat actors” and each fresh variant of the malware introduces more obfuscation strategies to impede analysis and alterations in the overall communication method to prevent unauthorized connections.
“In simple terms, the threat actors took measures to ensure that specific variants of MoonPeak only function with specific versions of the C2 server,” the researchers emphasized.
“The timelines reflecting the consistent adoption of new malware and its evolution such as in the instance of MoonPeak underscore that UAT-5394 continues to incorporate and enhance additional tools into their arsenal. The rapid pace of constructing novel supporting infrastructure by UAT-5394 signifies that the group intends to swiftly proliferate this operation and establish more drop points and C2 servers.”
About Author
