Cisco Talos has recently identified a state-sponsored North Korean threat actor group, UAT-5394 [1] [2] [3] [4] [5] [6] [8], associated with the Kimsuky APT group. This group has been distributing a new Remote Access Trojan (RAT) called MoonPeak, a variant of the XenoRAT malware actively developed by the threat actor [7].

Description

UAT-5394 utilizes infrastructure such as staging, command-and-control (C2) servers [3] [6] [7] [8], and test machines for their implants [5] [8]. MoonPeak [1] [2] [3] [4] [5] [6] [7] [8], derived from XenoRAT [1], is constantly updated with obfuscation techniques and changes to communication mechanisms to evade detection [2]. The threat actors access servers from VPN nodes [3] [5], update payloads on existing servers [5], and set up new infrastructure to expand their campaign. While similarities exist with Kimsuky, the connection is not definitive, suggesting UAT-5394 may be a sub-group within Kimsuky or a separate entity borrowing tactics and infrastructure [5]. Talos’ research has uncovered the infrastructure used by UAT-5394 [5], revealing interconnections between servers over the past two months. The campaign involves creating new infrastructure [2] [7], including C2 servers and payload-hosting sites [2] [4] [5] [7] [8], to support the deployment of new MoonPeak iterations [2] [7]. The threat actor updates payloads, collects data from MoonPeak infections [7], and demonstrates intent to rapidly expand the campaign with enhanced obfuscation techniques and modifications to prevent unauthorized access.

Conclusion

The evolving nature of MoonPeak and the threat actor’s strategy shift towards setting up their own servers pose significant challenges for detection and mitigation efforts. Organizations should remain vigilant and implement robust security measures to protect against such advanced threats. The continued evolution of the malware highlights the need for ongoing monitoring and adaptation of security protocols to counter the threat actor’s tactics effectively.

References

[1] https://securityaffairs.com/167340/malware/north-korea-apt-moonpeaknorth.html
[2] https://thehackernews.com/2024/08/north-korean-hackers-deploy-new.html
[3] https://duo.com/decipher/new-moonpeak-rat-linked-to-north-korean-actors
[4] https://securityonline.info/north-korean-hackers-upgrade-arsenal-with-moonpeak-rat/
[5] https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/
[6] https://www.infosecurity-magazine.com/news/moonpeak-rat-north-korea/
[7] https://thereviewhive.blog/moonpeak-trojan-new-north-korean-cyber-campaign-uncovered-by-cisco-talos/
[8] https://f5.pm/go-257373.html