Cisco Talos identifies UAT-5394, a North Korean state-sponsored group, deploying MoonPeak, a variant of XenoRAT, to control infected hosts and build a dedicated infrastructure for command and control. The report details ongoing development, improved evasion and obfuscation, new C2 servers, and a possible link to Kimsuky, while noting MoonPeak’s rapid evolution and testing infrastructure. Hashtags: #MoonPeak #XenoRAT #UAT-5394 #Kimsuky #QuasarRAT #NorthKoreanAPT #C2
Keypoints
- UAT-5394 is a North Korean state-sponsored threat actor using the MoonPeak RAT.
- MoonPeak is a variant of the open-source XenoRAT malware.
- The group moved from cloud storage to owning and controlling infrastructure for hosting payloads and C2.
- New MoonPeak C2 servers and payload-hosting sites have been established for ongoing operations.
- MoonPeak has evolved with obfuscation, communication tweaks, and testing infrastructure for development.
- MoonPeak v1 and v2 show architectural and code changes (namespace, compression order, state machines, and string obfuscation) to hinder analysis.
- Cisco notes potential associations with Kimsuky but treats MoonPeak as an independent campaign for now and advises specific defenses to detect and block MoonPeak threats.
MITRE Techniques
- [T1069] Remote Access Tools – MoonPeak is a remote access trojan (RAT) that allows the threat actor to control infected systems. “MoonPeak is a remote access trojan (RAT) that allows the threat actor to control infected systems.”
- [T1071] Command and Control – UAT-5394 utilizes various C2 servers to maintain control over compromised systems. “UAT-5394 utilizes various C2 servers to maintain control over compromised systems.”
- [T1190] Exploitation of Public-Facing Applications – Utilization of spear-phishing campaigns to distribute MoonPeak malware. “Utilization of spear-phishing campaigns to distribute MoonPeak malware.”
- [T1027] Obfuscated Files or Information – MoonPeak employs obfuscation techniques to evade detection. “MoonPeak employs obfuscation techniques to evade detection.”
- [T1003] Credential Dumping – MoonPeak may be used to gather credentials from infected systems. “MoonPeak may be used to gather credentials from infected systems.”
Indicators of Compromise
- [IP Address] – MoonPeak communications and staging infrastructure include 167.88.173.173 and 95.164.86.148 as C2-related hosts referenced in the campaign.
- [Domain] – pumaria.store and yoiroyse.store are domains attributed to UAT-5394 MoonPeak infrastructure and activity.
- [Hash] – MoonPeak_V2 samples: 148c69a7a1e06dc06e52db5c3f5895de6adc3d79498bc3ccc2cbd8fdf28b2070, 1ad43ddfce147c1ec71b37011d522c11999a974811fead11fee6761ceb920b10.
- [File name] – calc.txt (PowerShell script used to pull down an RTF containing MoonPeak); PHP file that serves malicious artifacts based on an id parameter.
- [Other] – 104.194.152.251, 27.255.81.118, 80.71.157.55, 45.87.153.79, 45.95.11.52, 159.100.29.122, 167.88.173.173 (additional MoonPeak test and C2 infrastructure items referenced in the report)
Read more: https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/