North Korea’s cyber landscape has seen the emergence of a new threat actor, Moonstone Sleet, which has been identified by Microsoft as a state-aligned entity employing a mix of traditional and innovative tactics to achieve financial and espionage objectives.
This actor, formerly tracked as Storm-1789, has evolved significantly since its initial detection, shifting from shared infrastructure with other North Korean groups to its own bespoke operations.
Tactics and Techniques
Moonstone Sleet’s arsenal includes the deployment of custom ransomware, dubbed FakePenny, which was observed in April 2024.
This ransomware features a loader and an encryptor, marking a significant escalation in North Korean cyber operations, as it seeks substantial financial gains.
The ransom demand for FakePenny was notably high at $6.6 million in Bitcoin, contrasting with previous lower demands from other North Korean ransomware attacks.
Additionally, Moonstone Sleet has developed a fully functional malicious game called DeTankWar, which is used to infect devices.
The game requires player registration and is distributed through messaging platforms or email, often under the guise of a legitimate blockchain project.
Moonstone Sleet also employs trojanized versions of legitimate tools, such as PuTTY, to gain initial access to target systems.
These tools are typically delivered via social media platforms and freelancing websites.
Once inside, the actor uses custom malware loaders like SplitLoader and YouieLoad to execute further malicious payloads.
The group has also been observed creating fake companies, such as StarGlow Ventures and C.C. Waterfall, to establish relationships with potential targets in the software development and education sectors.
These companies are used to send seemingly innocuous emails that may eventually lead to malicious activities.
Implications
The emergence of Moonstone Sleet highlights the evolving sophistication of North Korean cyber operations.
Its ability to conduct concurrent operations across multiple campaigns and develop custom ransomware indicates significant resources and capabilities.
To defend against such threats, organizations are advised to enhance their security posture by enabling advanced protection features in tools like Microsoft Defender for Endpoint.
This includes activating controlled folder access, network protection, and ensuring tamper protection is enabled.
Additionally, running endpoint detection and response (EDR) in block mode can help mitigate post-breach threats.
Microsoft also recommends using cloud-delivered protection to stay ahead of rapidly evolving attacker tools and techniques.
