Microsoft has shared some details about a new North Korean threat actor, now tracked as Moonstone Sleet (formerly known as Storm-1789), which employs traditional and novel attack methods, aiming at financial gain and cyberespionage.
Initially, Moonstone Sleet's activities showed overlaps with another North Korean threat actor, Diamond Sleet, but the threat actor has since established its own infrastructure and unique attack methodologies.
In early August 2023, Moonstone Sleet was observed distributing a trojanized version of PuTTY, an open-source terminal emulator. The malicious version was delivered via apps like LinkedIn, Telegram, and freelancing platforms.
Targets received a .zip archive containing a malicious putty.exe and a url.txt file with an IP address and password. Entering this information into the PuTTY app decrypted and executed an embedded payload. This method was previously seen with Diamond Sleet, which also used trojanized PuTTY and SumatraPDF.
Another observed attack method involves the threat actor targeting victims with malicious npm packages, often delivered through freelancing websites or professional networking platforms.
Since February 2024, Moonstone Sleet has used a malicious game named ‘DeTankWar’ (aka ‘DeFiTankWar’, ‘DeTankZone’, or ‘TankWarsZone’), to infect devices. Posing as a game developer seeking investment or developer support, Moonstone Sleet approached targets through messaging platforms and emails, either posing as legitimate blockchain companies or using fake companies. Launching the game initiated a custom malware loader, YouieLoad, which deployed further malicious payloads, conducting network and user discovery, and collecting browser data.
In April 2024, Moonstone Sleet launched a new ransomware variant, FakePenny, against a previously compromised company. This marks the first observed instance of the threat actor deploying ransomware.
Since January 2024, Moonstone Sleet has been creating fake companies impersonating software development and IT service providers, particularly in the blockchain and AI sectors, Microsoft said. These fake entities helped the group reach potential targets, using created websites and social media accounts to add credibility. Additionally, Moonstone Sleet pursued employment in legitimate software development roles to gain deeper access to target organizations.
According to Microsoft, Moonstone Sleet's operations have targeted individuals and organizations within the software and IT, education, and defense industrial base sectors. Their primary objectives of the group appear to be espionage and revenue generation, aligning with broader North Korean cyber strategy trends.