Microsoft tracked a new North Korean cybercrime group, codenamed “Moonstone Sleet,” on May 28. The group uses several techniques and distinct attack strategies that have been tried and tested by other North Korean threat actors to achieve its monetary and cyber-spying objectives.
A press release by Microsoft stated that the new threat actor has been observed to create fake companies such as StarGlow Ventures and C. C. Waterfall and job opportunities to connect with potential targets, utilise trojan versions of verified tools, create malicious games, and distribute new custom ransomware. Microsoft noted that the cybercrime group formerly went by the name “Storm—1789”.
Microsoft tracks the North Korean group back to August 2023, the earliest date its movement was spotted. Since then, Moonstone Sleet has been spreading trojan versions of PuTTY and SumatraPDF via LinkedIn, Telegram, and many other freelancing platforms. The apps are designed to load additional payloads and provide access for follow-up attacks against its specific targets.
With their primary goal as cyber-espionage and revenue generation, Moonstone Sleet targeted software companies, developers and aerospace. The group compromised a defense technology group to steal intellectual property and credentials and a company that makes drone technology in early December 2023. It also compromised a company which makes aircraft parts in May 2024.
Moonstone Sleet has also been revealed to have been involved in the deployment of FakePenny, a new ransomware strain observed as early as April 2024. The North Korean group has also set up fake companies to build relationships with organisations of interest, mainly those involved in software development and higher educational settings.
The company noticed Moonstone Sleet using a malicious tank game called DeTankWar (which also went by the names DeFiTankWar, DeTankZone, or TankWarsZone), developed by the group itself, to infect devices since February 2024. The group has also been accused of using a fake company, C.C. Waterfall, to contact its targets.
Other attack sequences of the group utilised malicious npm packages that were spread through LinkedIn and other freelancing websites. For example, the cybercrime group disguised itself as a fake company to send over .ZIP files that invoke a malicious NPM package by terming it as a technical skills assessment.
In the News: WhatsApp beta introduces Event Reminder for community chats