MoonPeak Trojan Detection: North Korean Hackers Deploy Novel RAT During Their Latest Malicious Campaign
Table of contents:
In the first half of 2024, North Korea-affiliated adversaries have significantly ramped up their activities, broadening both their malicious toolsets and range of targets. Security experts have observed a notable uptick in supply-chain attacks and trojanized software installers, underscoring a growing trend among North Korean state-sponsored groups. Recently, security professionals discovered a brand new malware sample being added to the arsenal. This advanced remote access Trojan (RAT) is believed to be operated by a North Korean nexus of threat actors with possible ties to the notorious Kimsuky group.
Detect MoonPeak Trojan Deployed by North Korean Hackers
The continuously evolving offensive toolkit of the North Korean hacking collectives requires ultra-responsiveness from cyber defenders. The latest addition to the malicious toolkit, the MoonPeak Trojan, underscores the need for proactive defenses. SOC Prime Team curates a related Sigma rule helping to detect suspicious .net methods which are used for offensive purposes.
Call Suspicious .NET Methods from Powershell (via powershell)
Additionally, security professionals searching for curated detection content linked to North Korean Kimsuky APT (showing the significant TTPs overlap with MoonPeak operators) might access a broad collection of Sigma rules by pressing the Explore Detections button below.Â
All the detection algorithms are mapped to the MITRE ATT&CK® framework and automatically convertible to the industry-leading SIEM, EDR, and Data Lake technologies for seamless cross-platform threat detection.
MoonPeak Malware Analysis
A recent research by Cisco Talos sheds light on the recently-discovered MoonPeak RAT actively leveraged by North Korean adversaries during their latest malicious campaign. Security experts are tracking the group behind MoonPeak, designated as UAT-5394, which exhibits clear similarities in malicious TTPs with the notorious Kimsuky APT.
In fact, MoonPeak, is a custom version of the open-source Xeno RAT malware increasingly used by attackers during phishing campaigns designed to retrieve the malicious payload from different cloud services like Dropbox and Google Drive. Xeno RAT boasts a range of malicious capabilities, including loading additional plugins, launching and terminating processes, and communicating with a C2 server. These features have been effectively inherited by MoonPeak in the latest iteration of the Trojan.
Security researchers also note that malware operators behind the MoonPeak are constantly expanding and tuning the malware capabilities. Ciso Talos actually points out that adversaries set up the new infrastructure, including C2 servers, hostings, and test virtual machines to proceed with the malicious campaign with MoonPeak at its core.Â
In several instances, the threat actor accessed existing servers to update payloads and retrieve logs from MoonPeak infections. This shift from legitimate cloud storage to their own servers aligns with the ongoing evolution of MoonPeak, where each new version introduces enhanced obfuscation and altered communication mechanisms to evade detection.
As MoonPeak and Xeno RAT campaigns share a lot of similarities in tactics, techniques, and procedures (TTPs), security experts suspect that the UAT-5394 cluster might be linked to Kimsuky APT. Specifically, researchers suggest two possible scenarios, either UAT-5394 is Kimsuky’s subgroup transitioning from QuasarRAT to MoonPeak. Alternatively, UAT-5394 might be a separate group intentionally mimicking Kimsuky’s malicious patterns.
The enhanced sophistication and increased variety of tools applied by North Korea-affiliated actors fuel the need for proactive cyber defense to successfully preempt malicious intentions. Leveraging SOC Prime’s Attack Detective helps security teams significantly reduce the ever-growing attack surface, elevate threat visibility and address cyber defense blind spots, get access to the prioritized detection stack for high-fidelity alerting, or adopt an automated threat hunting capability.
