Listen to this Post
North Korea’s cyber threat landscape has evolved in recent years, with the emergence of a new and highly sophisticated cyber actor named Moonstone Sleet. Previously known as Storm-1789, this group has shown remarkable growth in its capabilities, employing advanced techniques for both financial gain and espionage. According to Microsoft, Moonstone Sleet operates under the direction of the North Korean state, using a combination of traditional methods and innovative tactics to further its goals.
The Rise of Moonstone Sleet: Tactics, Tools, and Operations
Moonstone Sleet, formerly identified as Storm-1789, has dramatically evolved its operations, transitioning from using shared infrastructure with other North Korean cyber groups to a more independent and specialized approach. This transition marks a significant shift in North Korea’s cyber strategy, signaling an increase in the group’s autonomy and sophistication.
The group’s primary objectives appear to be financial profit and intelligence gathering, achieved through cybercrime and espionage. One of their most prominent tactics is the deployment of a custom ransomware known as FakePenny, which was first detected in April 2024. FakePenny represents a notable escalation in North Korean cyber operations due to its size and impact. The ransomware includes both a loader and an encryptor, designed to demand an exceptionally high ransom—$6.6 million in Bitcoin—demonstrating the group’s pursuit of significant financial returns.
In addition to FakePenny, Moonstone Sleet has introduced a malicious game called DeTankWar. This game, which is distributed through social media, emails, and messaging platforms, requires players to register and is often marketed as part of a legitimate blockchain project. Once installed, the game infects the user’s device and serves as a vehicle for further malicious activity.
To gain initial access to systems, Moonstone Sleet also utilizes trojanized versions of trusted software tools like PuTTY. These tools are typically delivered through platforms such as social media or freelancing websites, exploiting trust to gain footholds in victim systems. After gaining access, the actor deploys additional custom malware loaders, such as SplitLoader and YouieLoad, to escalate their operations.
Moonstone Sleet has also been known to create fake companies, like StarGlow Ventures and C.C. Waterfall, to target sectors like software development and education. By establishing relationships under the guise of these companies, they are able to send seemingly harmless emails that eventually lead to malicious activities.
The
What Undercode Says: An Analysis of Moonstone
Moonstone
The ransomware tactics used by Moonstone Sleet, particularly the FakePenny attack, are a clear step up from earlier North Korean cybercrimes. The $6.6 million Bitcoin demand is unusually high compared to previous ransom requests, showing that Moonstone Sleet is targeting high-value entities, likely with the aim of crippling organizations that are too valuable to ignore but too vulnerable to defend effectively.
The development of the DeTankWar game is another innovation that speaks to the group’s resourcefulness. By disguising malicious code as part of a legitimate, albeit fake, blockchain game, Moonstone Sleet is exploiting the global fascination with cryptocurrencies to lure victims. This tactic not only expands the group’s reach but also strengthens its ability to infect systems without raising suspicion.
The use of trojanized tools like PuTTY and malware loaders is a classic example of the group’s stealthy approach. By leveraging widely trusted tools, Moonstone Sleet can bypass security protocols that might otherwise block their initial attempts to infiltrate networks. Once inside, their use of advanced loaders such as SplitLoader and YouieLoad shows a growing capability to orchestrate multi-stage attacks, allowing the group to remain undetected while gathering intelligence or deploying more destructive payloads.
Moonstone Sleet’s creation of fake companies like StarGlow Ventures and C.C. Waterfall indicates that the group is refining its social engineering tactics. By impersonating legitimate businesses, they can exploit relationships in the software and education sectors to carry out cyber attacks. This tactic highlights the increasing complexity of North Korean cyber actors, who are no longer reliant solely on brute-force techniques like phishing and malware. Instead, they are incorporating sophisticated social engineering strategies into their playbook, making it even harder for organizations to detect and defend against these types of threats.
As the group continues to expand its operations, the potential impact on both private organizations and national security becomes more significant. Moonstone Sleet’s ability to operate across multiple campaigns simultaneously, and its development of unique malware, shows the group’s considerable resources and advanced capabilities. This evolution aligns with broader trends in state-sponsored cyber operations, where adversaries are growing more skilled and versatile.
Fact Checker Results: Assessing the Claims
- FakePenny Ransomware: Verified as a newly emerging ransomware, with high ransom demands and custom tools.
- DeTankWar Game: Evidence of this game being used in attacks, serving as a social engineering tool to spread malware.
- Trojanized Tools: Confirmed usage of trusted software like PuTTY in attack vectors by North Korean actors.
References:
Reported By: https://cyberpress.org/north-korean-moonstone-sleet-deploys-custom-ransomware/
Extra Source Hub:
https://www.instagram.com
Wikipedia: https://www.wikipedia.org
Undercode AI
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2
