New Variant of XenoRAT Malware Linked to North Korean Group MoonPeak

A new variant of the notorious XenoRAT information-stealing malware, identified by researchers at Cisco Talos as MoonPeak, is currently being distributed by a threat actor with likely connections to North Korea’s Kimsuky group. This new version of the malware is being actively developed and has been steadily evolving over the past few months, posing a challenge for detection and identification.

MoonPeak retains most of the functionalities of the original XenoRAT but includes consistent changes and modifications that indicate independent evolution by the threat actors. XenoRAT, an open source malware coded in C#, offers powerful capabilities such as keylogging, UAC bypass, and a Hidden Virtual Network Computing feature for surreptitious remote access to compromised systems.

The connection to the Kimsuky group suggests a state-sponsored North Korean nexus behind the distribution of MoonPeak, with tactics and infrastructure resembling previous espionage activities in sectors like nuclear weapons research. Cisco Talos researchers have observed continuous modifications to MoonPeak, including namespace changes to prevent rogue implants and obfuscation techniques to hinder analysis.

The threat actor has also been adjusting its infrastructure, moving away from public cloud services to privately owned and controlled systems for hosting payloads and testing malware. This dynamic approach aims to introduce enough changes in each variant to impede detection, while ensuring compatibility with specific C2 servers.

The constant evolution of MoonPeak highlights the persistence of threat actors in adapting their tactics to evade detection and increase their operational security. It underscores the ongoing challenge faced by cybersecurity professionals in keeping pace with the rapidly changing landscape of cyber threats.