May 29 2024

Microsoft: ‘Moonstone Sleet’ APT Melds Espionage, Financial Goals

Category: APT,Cyber Espionage,TTP, Cyber-Espionagedisc7 @ 3:59 pm

North Korea’s newest threat actor uses every trick in the nation-state APT playbook, and most of cybercrime’s tricks, too. It also developed a whole video game company to hide malware.

Researchers at Microsoft have identified a North Korean threat group carrying out espionage and financial cyberattacks concurrently, using a grab bag of different attack techniques against aerospace, education, and software organizations and developers.

In the beginning, Microsoft explained in a blog post, Moonstone Sleet heavily overlapped with the known DPRK advanced persistent threat (APT) Diamond Sleet. The former copped from the latter’s malware — like the Comebacker Trojan — as well as its infrastructure and preferred techniques — such as delivering Trojanized software via social media. Moonstone Sleet has since differentiated itself, though, moving to its own infrastructure and establishing for itself a unique, if rather erratic identity.

For one thing, where some of Kim Jong-Un’s threat groups focus on espionage and others focus on stealing money, Moonstone Sleet does both. Having its hands in every pie is reflected in its tactics, techniques, and procedures (TTPs), too, which in various cases have involved fake job offers, custom ransomware, and even a fully functional fake video game.

“Moonstone Sleet’s ability to blend traditional cybercriminal methodologies with those of nation-state actors is particularly alarming,” says Adam Gavish, co-founder and CEO at DoControl. “Their multifaceted strategies — ranging from setting up fake companies to deliver custom ransomware to using compromised tools for direct infiltration — showcase a versatility that complicates defensive measures.”

Moonstone Sleet’s Grab Bag of TTPs

To Gavish, “One tactic that stands out is their utilization of trusted platforms, like LinkedIn and Telegram, and developer freelancing websites to target victims. This exploits the inherent trust associated with these platforms, making it easier for them to trick victims into interacting with malicious content.”

To add to the realism, Moonstone Sleet uses the common North Korean strategy of engaging with victims from the perspective of a seemingly legitimate company.

From January to April of this year, for example, the group masqueraded as a software development company called “StarGlow Ventures.” With a sleek custom domain, made-up employees, and social media accounts to go along with it all, StarGlow Ventures targeted thousands of organizations in the software and education sectors. In phishing emails, the faux company complemented its victims and offered to collaborate on upcoming projects.

In other cases, the group used another fake company — C.C. Waterfall — to spread an especially creative ruse.

In emails from C.C. Waterfall since February, Moonstone Sleet has been reaching out to victims with a link to download a video game. “DeTankWar” — also called DeFiTankWar, DeTankZone, or TankWarsZone — is marketed as a community-driven, play-to-earn tank combat game. It has its own websites, and X accounts for fake personas used to promote it.

Remarkably, DeTankWar is a fully functional (if atavistic) video game. When users launch it, though, they also download malicious DLLs with a custom loader called “YouieLoad.” YouieLoad loads malicious payloads to memory, and creates services that probe victim machines and collect data, and allow its owners to perform extra hands-on command execution.

Whack-a-Mole Cyber Defense

Fake companies and fake video games are just some of Moonstone Sleet’s tricks. Its members also try to get hired for remote tech jobs with real companies. It spreads malicious npm packages on LinkedIn and freelancer websites. It has its own ransomware, FakePenny, which it uses in conjunction with a ransom note ripped from NotPetya to solicit millions of dollars worth of Bitcoin.

In the face of such varied TTPs and malicious tools, Gavish says, “The answer is fundamentally the same as for any other threat: Defenders must adopt a multi-layered security posture. This involves a combination of endpoint protection, network monitoring, and threat hunting to detect and respond to anomalous activities early.” Microsoft took a similarly broad stance in its blog, highlighting network and tamper protections, endpoint detection and response (EDR), and more steps organizations can take to layer their cyber defenses.

“Ultimately,” says Gavish, “the dynamic nature of threats like Moonstone Sleet requires a holistic and adaptive approach to cybersecurity — one that balances technical defenses with strategic intelligence and continuous vigilance.”


Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: APT, Cyber-Espionage, Moonstone Sleet

Feb 28 2024

Industrial Cyber Espionage France’s Top Threat Ahead of 2024 Paris Olympics

France’s National Cybersecurity Agency (ANSSI) observed a significant rise in cyber espionage campaigns targeting strategic organizations in 2023.

These operations are increasingly focused on individuals and non-governmental structures that create, host or transmit sensitive data, ANSSI observed in its 2023 Cyber Threat Landscape report, published on February 27, 2024.

Besides public administration, the primary targets of cyber espionage activity included organizations associated with the French government, such as technology and defense contractors, research institutes and think tanks.

Overall, cyber espionage remained the top cyber threat ANSSI’s teams dealt with in 2023.

ANSSI has also noted an increase in attacks against business and personal mobile phones aimed at targeted individuals.

There has also been an upsurge in attacks that have used methods publicly associated with the Russian government.

“These attacks are not limited to mainland French territory: in 2023, ANSSI dealt with the compromise of an IT network located in a French overseas territory using an attack modus operandi publicly associated with China,” reads the report.

30% Rise in Ransomware

Meanwhile, financially motivated attacks were also on the rise, with an observed 30% increase in ransomware attacks compared to 2022.

Monthly and yearly breakdown of ransomware attacks reported to ANSSI in 2022 (in blue) and in 2023 (in green). Source: ANSSI
Monthly and yearly breakdown of ransomware attacks reported to ANSSI in 2022 (in blue) and in 2023 (in green). Source: ANSSI

Small and medium enterprises (SMEs) and mid-sized businesses were the most targeted organizations, representing 34% of all cyber-attacks observed by ANSSI in 2023. Local administration came second, suffering 24% of all attacks in 2023.

In total in 2023, ANSSI recorded 3703 cyber events, 1112 of which were labeled as cyber incidents. In 2022, it recorded 3018 cyber events, including 832 cyber incidents.

The latest version of the LockBit ransomware, LockBit 3.0 (aka LockBit Black), was the most used malware in financially motivated cyber-attacks in 2023, taking over previous ransomware versions from the same threat group that dominated the ransomware landscape in 2022.

Top Ransomware versions detected by ANSSI in cyber-attacks targeting French organizations. Source: ANSSI
Top Ransomware versions detected by ANSSI in cyber-attacks targeting French organizations. Source: ANSSI

Read more: LockBit Takedown – What You Need to Know about Operation Cronos

Software Supply Chain Vulnerabilities Rule Supreme

Overall, 2023 has seen significant changes in the structure and methods of attackers. They are perfecting their techniques in order to avoid being detected, tracked, or even identified.

“Despite efforts to improve security in certain sectors, attackers continue to exploit the same technical weaknesses to gain access to networks. Exploiting ‘zero-day’ vulnerabilities remains a prime entry point for attackers, who all too often still take advantage of poor administration practices, delays in applying patches and the absence of encryption mechanisms,” reads the report, translated from French to English by Infosecurity.

The top five vulnerabilities exploited by threat actors to compromise French organizations’ IT systems in 2023 include flaws in VMWare, Cisco, Citrix, Atlassian and Progress Software products.

These include the Citrix Bleed and the MOVEit vulnerabilities.

Read more: MOVEit Exploitation Fallout Drives Record Ransomware Attacks

Pre-Positioning Activities on ANSSI’s Radar for 2024

Finally, in a tense geopolitical context, ANSSI noted new destabilization operations aimed mainly at promoting a political discourse, hindering access to online content or damaging an organization’s image.

“While distributed denial of service (DDoS) attacks by pro-Russian hacktivists, often with limited impact, were the most common, pre-positioning activities targeting several critical infrastructures in Europe, North America and Asia were also detected.

“These more discreet activities may nevertheless be aimed at larger-scale operations carried out by state actors waiting for the right moment to act,” the report explained.

Vincent Strubel, ANSSI’s director general, commented: “While financially motivated attacks and destabilization operations saw a clear upturn in 2023, it was once again the less noisy threat, which remains the most worrying, that of strategic and industrial espionage and pre-positioning for sabotage purposes, which mobilised the ANSSI teams the most.”

These geopolitically driven threats will particularly be on ANSSI’s radar in 2024, as Paris is prepares to host the 2024 Olympic and Paralympic Games.

Spy in your Pocket….

An Investigator’s Guide to Espionage, Ransomware, and Organized Cybercrime

Tags: 2024 Paris Olympics, Pegasus, Spy in Your Pocket

Sep 10 2023

Stealthy APT exposed: TTPs spill secrets of sophisticated campaigns

Category: TTP, Cyber-Espionagedisc7 @ 9:13 am

A newly identified advanced persistent threat (APT) group is using sophisticated cyberespionage techniques and custom malware to target government and technology sector organizations in at least six countries, including the United States.

Trend Micro said it discovered the group, which it calls Earth Estries, earlier this year, although they have been active since at least 2020.

In a Wednesday post, Trend Micro researchers describe Earth Estries as a sophisticated hacker group that is currently running an active campaign in the Philippines, Taiwan, Malaysia, South Africa and Germany, as well as the U.S.

“From a general overview of the tools and techniques used in this ongoing campaign, we believe the threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyberespionage and illicit activities,” the researchers wrote.

Trend Micro did not attribute the group to a particular country but said it found some overlaps between the tactics, techniques and procedures (TTPs) used by Earth Estries and those used by another APT group, FamousSparrow.

“Moreover, the code similarities and TTPs between Earth Estries and FamousSparrow suggests a possible connection between them,” the researchers said.

Further evidence, including tracked IP addresses and common technical formatting themes also suggested there were “strong ties” between the two groups.

In a 2021 research report, ESET linked FamousSparrow to two other APT groups, SparklingGoblin and DRBControl, both of which have been connected to Chinese threat actors.

Focused on evading detection

Trend Micro said after compromising internal servers, Earth Estries used valid accounts with administrative privileges to covertly move laterally across its victims’ networks.

“To leave as little footprint as possible, they use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism. In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and to exchange or transfer commands and stolen data.”

The researchers said Earth Estries deployed a range of tools to carry out its campaign, including commonly used remote control tools such as Cobalt Strike and PlugX, but also novel backdoors and information stealers.

Included in its toolkit was Zingdoor, a Go HTTP backdoor with cross-platform capabilities which was first developed in June 2022 and has only been deployed on limited occasions.

The group also used TrillClient, a custom browser data stealer, also written in Go, which connected to a GitHub repository to retrieve commands, and HemiGate, a backdoor with keylogging capabilities.

“Like most of the tools used by this threat actor, this backdoor is also executed via DLL sideloading using one of the loaders that support interchangeable payloads. We observed that Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal,” the researchers said.

“We also noted that the threat actors regularly cleaned their existing backdoor after finishing each round of operation and redeployed a new piece of malware when they started another round. We believe that they do this to reduce the risk of exposure and detection.”

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

Tags: Cyber-Espionage