{"id":3806,"date":"2024-05-29T15:04:06","date_gmt":"2024-05-29T20:04:06","guid":{"rendered":"https:\/\/www.darkreading.com\/threat-intelligence\/microsoft-moonlight-sleet-apt-melds-espionage-financial-goals"},"modified":"2024-05-29T15:04:06","modified_gmt":"2024-05-29T20:04:06","slug":"microsoft-moonstone-sleet-apt-melds-espionage-financial-goals","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/29\/microsoft-moonstone-sleet-apt-melds-espionage-financial-goals\/","title":{"rendered":"Microsoft: ‘Moonstone Sleet’ APT Melds Espionage, Financial Goals"},"content":{"rendered":"
<\/a><\/div>\n

Researchers at Microsoft have identified a North Korean threat group carrying out espionage and financial cyberattacks concurrently, using a grab bag of different attack techniques against aerospace, education, and software organizations and developers.<\/span><\/p>\n

In the beginning, <\/span>Microsoft explained in a blog post<\/a><\/span>, Moonstone Sleet heavily overlapped with the known DPRK advanced persistent threat (APT) <\/span>Diamond Sleet<\/a><\/span>. The former copped from the latter’s malware \u2014 like <\/span>the Comebacker Trojan<\/a><\/span> \u2014 as well as its infrastructure and preferred techniques \u2014 such as delivering Trojanized software via social media. Moonstone Sleet has since differentiated itself, though, moving to its own infrastructure and establishing for itself a unique, if rather erratic identity.<\/span><\/p>\n

For one thing, where some of Kim Jong-Un’s threat groups <\/span>focus on espionage<\/a><\/span> and others <\/span>focus on stealing money<\/a><\/span>, Moonstone Sleet does both. Having its hands in every pie is reflected in its tactics, techniques, and procedures (TTPs), too, which in various cases have involved fake job offers, custom ransomware, and even a fully functional fake video game.<\/span><\/p>\n

“Moonstone Sleet’s ability to blend traditional cybercriminal methodologies with those of nation-state actors is particularly alarming,” says Adam Gavish, co-founder and CEO at DoControl. “Their multifaceted strategies \u2014 ranging from setting up fake companies to deliver custom ransomware to using compromised tools for direct infiltration \u2014 showcase a versatility that complicates defensive measures.”<\/span><\/p>\n

Moonstone Sleet’s Grab Bag of TTPs<\/h2>\n

To Gavish, “One tactic that stands out is their utilization of trusted platforms, like LinkedIn and Telegram, and developer freelancing websites to target victims. This exploits the inherent trust associated with these platforms, making it easier for them to trick victims into interacting with malicious content.”<\/span><\/p>\n

To add to the realism, Moonstone Sleet uses the <\/span>common North Korean strategy<\/a><\/span> of engaging with victims from the perspective of a seemingly legitimate company.<\/span><\/p>\n

From January to April of this year, for example, the group masqueraded as a software development company called “StarGlow Ventures.” With a sleek custom domain, made-up employees, and social media accounts to go along with it all, StarGlow Ventures targeted thousands of organizations in the software and education sectors. In phishing emails, the faux company complemented its victims and offered to collaborate on upcoming projects.<\/span><\/p>\n

In other cases, the group used another fake company \u2014 C.C. Waterfall \u2014 to spread an especially creative ruse.<\/span><\/p>\n

In emails from C.C. Waterfall since February, Moonstone Sleet has been reaching out to victims with a link to download a video game. “DeTankWar” \u2014 also called DeFiTankWar, DeTankZone, or TankWarsZone \u2014 is marketed as a community-driven, <\/span>play-to-earn<\/a><\/span> tank combat game. It has its own websites, and X accounts for fake personas used to promote it.<\/span><\/p>\n

Remarkably, DeTankWar is a fully functional (if atavistic) video game. When users launch it, though, they also download malicious DLLs with a custom loader called “YouieLoad.” YouieLoad loads malicious payloads to memory, and creates services that probe victim machines and collect data, and allow its owners to perform extra hands-on command execution.<\/span><\/p>\n

\"Post<\/div>\n

Whack-a-Mole Cyber Defense<\/h2>\n

Fake companies and fake video games are just some of Moonstone Sleet’s tricks. Its members also <\/span>try to get hired for remote tech jobs<\/a><\/span> with real companies. It spreads malicious npm packages on LinkedIn and freelancer websites. It has its own ransomware, FakePenny, which it uses in conjunction with a ransom note ripped from NotPetya to solicit millions of dollars worth of Bitcoin.<\/span><\/p>\n

In the face of such varied TTPs and malicious tools, Gavish says, “The answer is fundamentally the same as for any other threat: Defenders must adopt a multi-layered security posture. This involves a combination of endpoint protection, network monitoring, and threat hunting to detect and respond to anomalous activities early.” Microsoft took a similarly broad stance in its blog, highlighting network and tamper protections, endpoint detection and response (EDR), and more steps organizations can take to layer their cyber defenses.<\/span><\/p>\n

“Ultimately,” says Gavish, “the dynamic nature of threats like Moonstone Sleet requires a holistic and adaptive approach to cybersecurity \u2014 one that balances technical defenses with strategic intelligence and continuous vigilance.”<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Researchers at Microsoft have identified a North Korean threat group<\/p>\n","protected":false},"author":12,"featured_media":3807,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-3806","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/microsoft-moonstone-sleet-apt-melds-espionage-financial-goals-scaled.jpg?fit=2560%2C1700&ssl=1",2560,1700,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/microsoft-moonstone-sleet-apt-melds-espionage-financial-goals-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/microsoft-moonstone-sleet-apt-melds-espionage-financial-goals-scaled.jpg?fit=300%2C199&ssl=1",300,199,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/microsoft-moonstone-sleet-apt-melds-espionage-financial-goals-scaled.jpg?fit=640%2C425&ssl=1",640,425,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/microsoft-moonstone-sleet-apt-melds-espionage-financial-goals-scaled.jpg?fit=640%2C425&ssl=1",640,425,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/microsoft-moonstone-sleet-apt-melds-espionage-financial-goals-scaled.jpg?fit=1536%2C1020&ssl=1",1536,1020,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/microsoft-moonstone-sleet-apt-melds-espionage-financial-goals-scaled.jpg?fit=2048%2C1360&ssl=1",2048,1360,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/microsoft-moonstone-sleet-apt-melds-espionage-financial-goals-scaled.jpg?fit=1024%2C680&ssl=1",1024,680,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/microsoft-moonstone-sleet-apt-melds-espionage-financial-goals-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/microsoft-moonstone-sleet-apt-melds-espionage-financial-goals-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/microsoft-moonstone-sleet-apt-melds-espionage-financial-goals-scaled.jpg?fit=2560%2C1700&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3806"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3806\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/3807"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}