North Korean Threat Actor Moonstone Sleet Behind Cyber Attacks Targeting Software and IT Sector

A new North Korean threat actor, codenamed Moonstone Sleet, has emerged, targeting individuals and organizations in the software, education, and defense sectors with ransomware and bespoke malware similar to the Lazarus Group. Moonstone Sleet uses tactics like setting up fake companies, employing trojanized versions of legitimate tools, and creating malicious games to infiltrate targets.

Microsoft’s Threat Intelligence team identified Moonstone Sleet as a state-aligned group utilizing tactics from other North Korean threat actors, such as Lazarus, but with unique attack methodologies. The group has been observed using code from known malware like Comebacker and PuTTY to infiltrate systems and execute payloads received from Command-and-Control servers.

In addition to using malicious software, Moonstone Sleet also pursues employment in legitimate software development positions to generate revenue for North Korea or gain access to organizations. The group has been observed utilizing tactics like sending trojanized PuTTY executables via LinkedIn and Telegram, as well as distributing malicious npm packages through messaging platforms.

Moonstone Sleet has also been linked to the creation of fake companies, such as C.C. Waterfall and StarGlow Ventures, to engage with targets through email and social engineering campaigns. The group recently deployed a custom ransomware variant called FakePenny against a defense technology company, demanding a $6.6 million ransom in Bitcoin.

As the threat from Moonstone Sleet grows, Microsoft is urging software companies to be vigilant against supply chain attacks and enhance their security measures to defend against this emerging threat actor. This disclosure comes amidst South Korea’s accusations against North Korea, particularly the Lazarus Group, for stealing data and documents from a court network.