Summary:
Moonstone Sleet, a newly identified North Korean APT group, combines espionage with financial motives through sophisticated cyberattacks. Utilizing social engineering, custom malware, and ransomware, they target technology firms, financial institutions, and cryptocurrency platforms. Their operations reflect a dual focus on financial gain and geopolitical intelligence, posing significant risks to global organizations.
#NorthKoreanAPT #CyberEspionage #RansomwareEvolution
Moonstone Sleet, a newly identified North Korean APT group, combines espionage with financial motives through sophisticated cyberattacks. Utilizing social engineering, custom malware, and ransomware, they target technology firms, financial institutions, and cryptocurrency platforms. Their operations reflect a dual focus on financial gain and geopolitical intelligence, posing significant risks to global organizations.
#NorthKoreanAPT #CyberEspionage #RansomwareEvolution
Keypoints:
- Moonstone Sleet is linked to targeted attacks against technology companies, financial institutions, and cryptocurrency platforms.
- The group employs spear-phishing campaigns and advanced reconnaissance to infiltrate networks.
- FakePenny ransomware represents a shift towards large-scale financial extortion, demanding significant ransoms.
- Trojanized PuTTY is used to exploit trusted tools for malicious purposes, initiating multi-stage malware attacks.
- Recent campaigns include the malicious tank game DeTankWar and exploitation of open-source software supply chains.
- Moonstone Sleet’s tactics reflect a dual objective of financial gain and geopolitical intelligence gathering.
MITRE Techniques
- Phishing: Spearphishing Link (T1566.002): Fake job offers and collaboration requests lure victims into opening malware.
- Supply Chain Compromise (T1195): Trojanized npm packages and open-source libraries compromise developer environments.
- User Execution: Malicious File (T1204.002): Malicious files (e.g., ZIP archives containing trojanized PuTTY) execute payloads on victim systems.
- Command and Scripting Interpreter (T1059): Malicious scripts in npm packages use system interpreters like rundll32.exe to execute DLL payloads.
- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): Malware establishes persistence through registry modifications or scheduled tasks.
- OS Credential Dumping (T1003): Credentials are extracted from LSASS or other system processes using tools like Mimikatz.
- Input Capture: Keylogging (T1056.001): Keystrokes are captured to steal credentials.
- System Network Connections Discovery (T1049): Malware maps network connections to identify potential targets for lateral movement.
- Account Discovery: Domain Account (T1087.002): Information on domain accounts is gathered for privilege escalation.
- Exploitation of Remote Services (T1210): Exploiting vulnerable systems for lateral access within the target network.
- Remote Services: SMB/Windows Admin Shares (T1021.002): Movement within the network is achieved through compromised Windows shares.
- Data from Local System (T1005): Browser data and other sensitive files are exfiltrated from local systems.
- Application Layer Protocol (T1071): Communication with C2 servers occurs via HTTP(S) or custom protocols.
- Data Encrypted for Impact (T1486): FakePenny ransomware encrypts victim data for extortion purposes.
- Disk Wipe (T1561): Disk-wiping techniques are used in ransomware to obscure espionage operations.
IoC:
- No IoC Found
Full Research: https://socradar.io/dark-web-profile-moonstone-sleet/