Microsoft discovered Moonstone Sleet, a group of North Korean hackers

Microsoft discovered Moonstone Sleet, a group of hackers from North Korea. Their malware and ransomware are similar to the ones used by the Lazarus Group. On top of that, the group of cyber terrorists targets individuals and organizations related to technology, education, and more.

How does the Moonstone Sleet operate?

The wrongdoers from the Moonstone Sleet use fake identities or businesses to attract their targets. Then, they send trojanized versions of legitimate tools. In addition, the attackers created a playable malicious game and a new custom ransomware.

Moonstone Sleet uses a mix of malware and techniques. Some are unique to the group, while others are similar to the ones used by other hacking groups from North Korea, such as the Lazarus Group. For example, the wrongdoers from Moonstone are reusing the code of the Comebacker malware.

The members of the Lazarus Group previously used Comebacker in Python and npm packages. This allowed them to download malicious tools from a server controlled by them.

The wrongdoers targeted IT workers using popular platforms

In August 2023, the Moonstone Sleet started using Linkedin, Telegram, and developer freelancing platforms. This way, they tricked IT workers into downloading a trojanized version of PuTTY, an open-source terminal emulator.

For instance, in most cases, the threat actors sent a .zip file containing two files: a trojanized version of putty.exe and an url.txt with an IP and password. If the target typed the data from the url.txt, the malicious code would have started decrypting a hidden payload. Then, the malware would allow the Moonstone Sleet to steal data, access the system, or deploy more viruses.

The trojanized version of PuTTY also drops another malware known as SplitLoader. During the last stage of infection, the virus drops a trojan that decompresses, decrypts, and executes a PE file received from a C2 server.

Besides using the PuTTY malware, the hackers from Moonstone Sleet also sent .zip files containing malicious npm packages, claiming they were technical skills assessments. Once executed, the packages connected to an actor-controlled IP address and deployed payloads similar to SplitLoader.

In addition, the Moonstone Sleet deployed malicious npm loaders that facilitated credential theft via Windows Local Security Authority Subsystem Service (LASS).

The attackers developed a malicious game

These threat actors developed a game that works, known as DeTankWar, and distributed it through emails and messaging platforms. Also, they set up fake websites and X accounts for the game.

The group often presented itself as a game developer looking for investments or developer support. Additionally, they either disguised as legitimate companies or created fake ones. For example, they used the name C.C. Waterfall and sent the malicious game to developers pretending to be a blockchain-related project.

The .exe file of the game contained YouieLoad, a malware that loads next-stage payloads into the memory. On top of that, it creates viruses for network and user discovery and data collection.

Moonstone Sleet had another fake company known as StarGlow Ventures. They pretended to be a software development company seeking collaborations for web apps, mobile apps, blockchain, and AI.

The hackers from the Moonstone Sleet also targeted a defense technology company with the FakePenny ransomware and asked for a $6.6 million ransom in Bitcoin.

Ultimately, to protect your company from threat actors like the Moonstone Sleet, Microsoft advises you to be on the lookout for supply chain attacks. In addition, you should use antimalware software and inform other people working with you about ransomware and malware. After all, your whole network might be affected.

Do you think that the Moonstone Sleet is a real threat? Let us know in the comments.