May 29 2024

Microsoft: ‘Moonstone Sleet’ APT Melds Espionage, Financial Goals

Category: APT,Cyber Espionage,TTP, Cyber-Espionagedisc7 @ 3:59 pm

North Korea’s newest threat actor uses every trick in the nation-state APT playbook, and most of cybercrime’s tricks, too. It also developed a whole video game company to hide malware.

Researchers at Microsoft have identified a North Korean threat group carrying out espionage and financial cyberattacks concurrently, using a grab bag of different attack techniques against aerospace, education, and software organizations and developers.

In the beginning, Microsoft explained in a blog post, Moonstone Sleet heavily overlapped with the known DPRK advanced persistent threat (APT) Diamond Sleet. The former copped from the latter’s malware — like the Comebacker Trojan — as well as its infrastructure and preferred techniques — such as delivering Trojanized software via social media. Moonstone Sleet has since differentiated itself, though, moving to its own infrastructure and establishing for itself a unique, if rather erratic identity.

For one thing, where some of Kim Jong-Un’s threat groups focus on espionage and others focus on stealing money, Moonstone Sleet does both. Having its hands in every pie is reflected in its tactics, techniques, and procedures (TTPs), too, which in various cases have involved fake job offers, custom ransomware, and even a fully functional fake video game.

“Moonstone Sleet’s ability to blend traditional cybercriminal methodologies with those of nation-state actors is particularly alarming,” says Adam Gavish, co-founder and CEO at DoControl. “Their multifaceted strategies — ranging from setting up fake companies to deliver custom ransomware to using compromised tools for direct infiltration — showcase a versatility that complicates defensive measures.”

Moonstone Sleet’s Grab Bag of TTPs

To Gavish, “One tactic that stands out is their utilization of trusted platforms, like LinkedIn and Telegram, and developer freelancing websites to target victims. This exploits the inherent trust associated with these platforms, making it easier for them to trick victims into interacting with malicious content.”

To add to the realism, Moonstone Sleet uses the common North Korean strategy of engaging with victims from the perspective of a seemingly legitimate company.

From January to April of this year, for example, the group masqueraded as a software development company called “StarGlow Ventures.” With a sleek custom domain, made-up employees, and social media accounts to go along with it all, StarGlow Ventures targeted thousands of organizations in the software and education sectors. In phishing emails, the faux company complemented its victims and offered to collaborate on upcoming projects.

In other cases, the group used another fake company — C.C. Waterfall — to spread an especially creative ruse.

In emails from C.C. Waterfall since February, Moonstone Sleet has been reaching out to victims with a link to download a video game. “DeTankWar” — also called DeFiTankWar, DeTankZone, or TankWarsZone — is marketed as a community-driven, play-to-earn tank combat game. It has its own websites, and X accounts for fake personas used to promote it.

Remarkably, DeTankWar is a fully functional (if atavistic) video game. When users launch it, though, they also download malicious DLLs with a custom loader called “YouieLoad.” YouieLoad loads malicious payloads to memory, and creates services that probe victim machines and collect data, and allow its owners to perform extra hands-on command execution.

Whack-a-Mole Cyber Defense

Fake companies and fake video games are just some of Moonstone Sleet’s tricks. Its members also try to get hired for remote tech jobs with real companies. It spreads malicious npm packages on LinkedIn and freelancer websites. It has its own ransomware, FakePenny, which it uses in conjunction with a ransom note ripped from NotPetya to solicit millions of dollars worth of Bitcoin.

In the face of such varied TTPs and malicious tools, Gavish says, “The answer is fundamentally the same as for any other threat: Defenders must adopt a multi-layered security posture. This involves a combination of endpoint protection, network monitoring, and threat hunting to detect and respond to anomalous activities early.” Microsoft took a similarly broad stance in its blog, highlighting network and tamper protections, endpoint detection and response (EDR), and more steps organizations can take to layer their cyber defenses.

“Ultimately,” says Gavish, “the dynamic nature of threats like Moonstone Sleet requires a holistic and adaptive approach to cybersecurity — one that balances technical defenses with strategic intelligence and continuous vigilance.”


Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: APT, Cyber-Espionage, Moonstone Sleet

Sep 10 2023

Stealthy APT exposed: TTPs spill secrets of sophisticated campaigns

Category: TTP, Cyber-Espionagedisc7 @ 9:13 am

A newly identified advanced persistent threat (APT) group is using sophisticated cyberespionage techniques and custom malware to target government and technology sector organizations in at least six countries, including the United States.

Trend Micro said it discovered the group, which it calls Earth Estries, earlier this year, although they have been active since at least 2020.

In a Wednesday post, Trend Micro researchers describe Earth Estries as a sophisticated hacker group that is currently running an active campaign in the Philippines, Taiwan, Malaysia, South Africa and Germany, as well as the U.S.

“From a general overview of the tools and techniques used in this ongoing campaign, we believe the threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyberespionage and illicit activities,” the researchers wrote.

Trend Micro did not attribute the group to a particular country but said it found some overlaps between the tactics, techniques and procedures (TTPs) used by Earth Estries and those used by another APT group, FamousSparrow.

“Moreover, the code similarities and TTPs between Earth Estries and FamousSparrow suggests a possible connection between them,” the researchers said.

Further evidence, including tracked IP addresses and common technical formatting themes also suggested there were “strong ties” between the two groups.

In a 2021 research report, ESET linked FamousSparrow to two other APT groups, SparklingGoblin and DRBControl, both of which have been connected to Chinese threat actors.

Focused on evading detection

Trend Micro said after compromising internal servers, Earth Estries used valid accounts with administrative privileges to covertly move laterally across its victims’ networks.

“To leave as little footprint as possible, they use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism. In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and to exchange or transfer commands and stolen data.”

The researchers said Earth Estries deployed a range of tools to carry out its campaign, including commonly used remote control tools such as Cobalt Strike and PlugX, but also novel backdoors and information stealers.

Included in its toolkit was Zingdoor, a Go HTTP backdoor with cross-platform capabilities which was first developed in June 2022 and has only been deployed on limited occasions.

The group also used TrillClient, a custom browser data stealer, also written in Go, which connected to a GitHub repository to retrieve commands, and HemiGate, a backdoor with keylogging capabilities.

“Like most of the tools used by this threat actor, this backdoor is also executed via DLL sideloading using one of the loaders that support interchangeable payloads. We observed that Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal,” the researchers said.

“We also noted that the threat actors regularly cleaned their existing backdoor after finishing each round of operation and redeployed a new piece of malware when they started another round. We believe that they do this to reduce the risk of exposure and detection.”

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

Tags: Cyber-Espionage