Skip to content

North Korean Kimsuky use MoonPeak trojan in cloud campaign

  • by
  • 2 min read

A state-sponsored North Korean threat cluster was discovered using a new Remote Access Trojan (RAT) dubbed MoonPeak. The new RAT is a derivation of the open-source XenoRAT malware, which was previously used in phishing campaigns that involved payload retrieval from cloud services such as Google Drive, Microsoft OneDrive, and Dropbox.

The new malicious campaign was attributed to a group of threat actors tracked as ” UAT-5394″ by Cisco Talos. The activity cluster had overlaps in TTPs and infrastructure with another North Korean state-sponsored group called Kimsuky. Key functions of XenoRAT include loading additional plugins, terminating and launching processes, and communicating with a command-and-control (C2) server.

The campaign’s key characteristic is the use of new infrastructure, such as C2 servers, payload-hosting sites, and virtual machines, to create variations of Moonpeak. A C2 server hosts malicious artifacts for download and is used to access and set up the new infrastructure.

An analysis by researchers Asheer Malhotra, Guilherme Venere, and Vitor Ventura of Cisco Talos stated that the threat group was seen accessing existing servers to update payloads and retrieve information and logs collected by MoonPeak. MoonPeak’s consistent evolution works side-by-side with the new framework set up by UAT-5394.

Each new variant of MoonPeak has more obfuscation techniques to evade analysis and changes in the communication method to prevent unauthorised individuals or groups from accessing it. “Simply put, the threat actors ensured that specific variants of MoonPeak only work with specific variants of the C2 server,” the researchers said.

The constant development and use of new malware and versions of it indicates that UAT-5394 is adding and improving its toolkit. The group’s deployment of new supporting infrastructures may be an attempt to expand the campaign quickly and set up more C2 servers and drop points.

While it is unclear whether UAT-5394 is Kimsuky or one of its subgroups, it was observed to actively develop and use QuasarRAT C2 servers before using XenoRAT and MoonPeak. The similarities between the two groups imply that they are either linked together or that it is another threat crew within North Korean cyberspace that borrowed Kimsuky’s toolkit.

In the News: Neuralink reports no thread retraction issue in the second implant

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

Related Reads

This is an image of drone 1866742 1280

British soldiers are using radio waves to take down drones

This is an image of cyber security hacked hacking 3889

State-sponsored hackers are increasingly using ClickFix tactics for the first time

This is an image of cisco 3289sd

Cisco patches high-severity flaw in Webex client

This is an image of dark web hacker security

European diplomats’ wine-tasting invite turns into a malware-laden nightmare

A computer screen displaying the word 'security'.

MITRE-backed CVE program to lose funding for operations

This is an image of google ads featured

Google blocked over 5 billion ads in 2024, claims new report

>