Microsoft identifies Moonstone Sleet as a new North Korean threat actor with a diverse toolkit, including Trojanized PuTTY, a malicious tank game, fake companies, malicious npm packages, and a custom ransomware. Moonstone Sleet operates with bespoke infrastructure and concurrent campaigns across software, education, and aerospace sectors, blending espionage with revenue-driven operations. #MoonstoneSleet #FakePenny #DeTankWar #StarGlowVentures #CCWaterfall #DiamondSleet #NotPetya
Keypoints
- Moonstone Sleet is a North Korean state-aligned threat actor, initially overlapping with Diamond Sleet but now operating on its own bespoke infrastructure.
- The group uses social media and freelancing platforms to deliver trojanized software (PuTTY) as an initial access vector, following established North Korean tradecraft.
- Trojanized PuTTY delivers a multi-stage chain (Stage 1–4) including a loader that decrypts, decompresses, and loads subsequent payloads.
- Malicious npm packages are used to deliver malicious code to software developers, including credential theft from LSASS and loader components.
- Moonstone Sleet developed a malicious tank game (DeTankWar) that loads YouieLoad and can perform in-memory loading, service creation, network discovery, and credential theft.
- The group introduced a new ransomware variant, FakePenny, with a NotPetya-like ransom note and a $6.6M BTC demand, marking a first for this actor.
- Fake companies (StarGlow Ventures and C.C. Waterfall) are used for outreach, recruitment-like campaigns, and to seed campaigns with tracking pixels and legitimate-appearing web presences.
MITRE Techniques
- [T1566.003] Phishing via Service – Moonstone Sleet delivered a trojanized PuTTY via LinkedIn, Telegram, and freelancing platforms. Quote: “In early August 2023, Microsoft observed Moonstone Sleet delivering a trojanized version of PuTTY, an open-source terminal emulator, via apps like LinkedIn and Telegram as well as developer freelancing platforms.”
- [T1053.005] Scheduled Task – Stage 2 installer drops Stage 3 payload and executes SplitLoader via a scheduled task. Quote: “The installer also drops two encrypted files to disk, then executes SplitLoader via a scheduled task or registry run key.”
- [T1060] Registry Run Keys/Startup Folder – Stage 2 uses registry run key as an execution path. Quote: “…or registry run key.”
- [T1140] Deobfuscate/Decode Data – Stage 3 decrypts and decompresses components to form the next-stage payload. Quote: “Stage 3 – SplitLoader:Decrypts and decompresses…”
- [T1105] Ingress Tool Transfer – Stage 4 loads a payload from the C2 after receiving a compressed/encrypted PE. Quote: “Trojan loader: Expects a compressed and encrypted PE file from the C2.”
- [T1195] Software Supply Chain – Malicious npm packages delivered through fake companies/freelancing platforms. Quote: “delivered projects through freelancing websites or other platforms like LinkedIn. In one example, the threat actor used a fake company to send .zip files invoking a malicious npm package…”
- [T1543.003] Create or Modify System Process – YouieLoad and loader components create malicious services for discovery and data collection. Quote: “…creates malicious services that perform functions such as network and user discovery and browser data collection.”
- [T1003] Credential Dumping – Hands-on-keyboard commands and credential theft activities, including LSASS-related credential theft. Quote: “…conducts credential theft.” and detections related to “LSASS access.”
- [T1486] Data Encrypted for Impact – Ransomware operation with FakePenny, including a NotPetya-like ransom note and a $6.6M demand. Quote: “The ransom demand was $6.6M USD in BTC.”
- [T1036] Masquerading – Moonstone Sleet created fake companies (StarGlow Ventures, C.C. Waterfall) to impersonate legitimate entities. Quote: “Moonstone Sleet creating several fake companies impersonating software development and IT services…”
Indicators of Compromise
- [File hash] putty.exe (drops SplitLoader) – f59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc58
- [File hash] putty.exe (drops SplitLoader) – cb97ec024c04150ad419d1af2d1eb66b5c48ab5f345409d9d791db574981a3fb
- [File hash] [random].dat (SplitLoader) – 39d7407e76080ec5d838c8ebca5182f3ac4a5f416ff7bda9cbc4efffd78b4ff5
- [File hash] Package.db, thumbs.db (YouieLoad via npm) – 70c5b64589277ace59db86d19d846a9236214b48aacabbaf880f2b6355ab5260
- [File hash] adb.bin, u.bin, Id.bin (YouieLoad) – cafaa7bc3277711509dc0800ed53b82f645e86c195e85fbf34430bbc75c39c24
- [File hash] data.tmp (YouieLoad) – 9863173e0a45318f776e36b1a8529380362af8f3e73a2b4875e30d31ad7bd3c1
- [File hash] delfi-tank-unity.exe – f66122a3e1eaa7dcb7c13838037573dace4e5a1c474a23006417274c0c8608be
- [File hash] DeTankWar.exe – 56554117d96d12bd3504ebef2a8f28e790dd1fe583c33ad58ccbf614313ead8e ecce739b556f26de07adbfc660a958ba2dca432f70a8c4dd01466141a6551146
- [File hash] NVUnityPlugin.dll, Unityplayer.dll (YouieLoad via tank game) – 09d152aa2b6261e3b0a1d1c19fa8032f215932186829cfcca954cc5e84a6cc38
- [Domain] mingeloem.com, matrixane.com – Moonstone Sleet infrastructure domains
- [Domain] detankwar.com, defitankzone.com – DeTankWar-related domains
- [Domain] starglowventures.com – StarGlow Ventures domain
- [Domain] ccwaterfall.com – C.C. Waterfall domain
- [Domain] bestonlinefilmstudio.org – Moonstone Sleet domain
- [Domain] blockchain-newtech.com – Moonstone Sleet domain