Cloud services have become a key link in the spread of digital contagion.
A new Remote Access Trojan (RAT) called MoonPeak has been discovered as part of a campaign run by a cyber group linked to the North Korean government. Cisco Talos experts attributed this malicious campaign to the UAT-5394 hacker group, which, according to their data, has tactical overlaps with a well-known national-level actor codenamed Kimsuky.
The MoonPeak malware, which is under active development, is a variant of the well-known Xeno RAT malware, which has previously been used in phishing attacks. These attacks were aimed at obtaining payloads from cloud services such as Dropbox, Google Drive, and Microsoft OneDrive operated by the attackers. Among the key features of the Xeno RAT are the ability to download additional plugins, manage processes, and communicate with a command and control (C2) server.
The similarities between the two digital intrusion kits indicate that UAT-5394 could be either Kimsuky itself (or a subdivision of it) or another group within North Korea's cyber unit using Kimsuky tools.
A key element of the campaign is the use of new infrastructure, including C2 servers, malware hosting sites, and test virtual machines. This framework was created specifically to support new versions of MoonPeak.
Talos researchers noted that C2 servers store malicious artifacts that are used to create and maintain new infrastructure. In several cases, the attackers have been observed to access existing servers to update the payload and extract the information collected by MoonPeak.
The shift in the use of in-house infrastructure instead of legitimate cloud storage underscores the change in the approach of hackers. However, the goals of the current campaign are still unknown.
It is important to note that "the constant evolution of MoonPeak is closely tied to the creation of new infrastructure by the attackers," and each new version of the malware includes new methods of concealment and changes in the communication mechanism to prevent unauthorized connections.
The researchers also highlighted that the hackers ensured that specific versions of MoonPeak were only compatible with certain variants of C2 servers. The rapid development of new tools and infrastructure indicates the group's intention to quickly expand the campaign and create more access points and C2 servers.
Source
A new Remote Access Trojan (RAT) called MoonPeak has been discovered as part of a campaign run by a cyber group linked to the North Korean government. Cisco Talos experts attributed this malicious campaign to the UAT-5394 hacker group, which, according to their data, has tactical overlaps with a well-known national-level actor codenamed Kimsuky.
The MoonPeak malware, which is under active development, is a variant of the well-known Xeno RAT malware, which has previously been used in phishing attacks. These attacks were aimed at obtaining payloads from cloud services such as Dropbox, Google Drive, and Microsoft OneDrive operated by the attackers. Among the key features of the Xeno RAT are the ability to download additional plugins, manage processes, and communicate with a command and control (C2) server.
The similarities between the two digital intrusion kits indicate that UAT-5394 could be either Kimsuky itself (or a subdivision of it) or another group within North Korea's cyber unit using Kimsuky tools.
A key element of the campaign is the use of new infrastructure, including C2 servers, malware hosting sites, and test virtual machines. This framework was created specifically to support new versions of MoonPeak.
Talos researchers noted that C2 servers store malicious artifacts that are used to create and maintain new infrastructure. In several cases, the attackers have been observed to access existing servers to update the payload and extract the information collected by MoonPeak.
The shift in the use of in-house infrastructure instead of legitimate cloud storage underscores the change in the approach of hackers. However, the goals of the current campaign are still unknown.
It is important to note that "the constant evolution of MoonPeak is closely tied to the creation of new infrastructure by the attackers," and each new version of the malware includes new methods of concealment and changes in the communication mechanism to prevent unauthorized connections.
The researchers also highlighted that the hackers ensured that specific versions of MoonPeak were only compatible with certain variants of C2 servers. The rapid development of new tools and infrastructure indicates the group's intention to quickly expand the campaign and create more access points and C2 servers.
Source
