top of page
Search

Threat Actor Profile-Moonstone Sleet

 

Moonstone Sleet is a North Korean based threat actor with close ties to related groups such as Diamond Sleet, Jade Sleet, and Onyx Sleet; however, Moonstone Sleet has differentiated itself via its ability to conduct simultaneous operations leveraging robust social engineering tactics and even developing a robust fake game (DeTankWar/DeFiTankWar/DeTankZone/TankWarsZone) to serve as a vehicle for malware deployment. Moonstone Sleet has been seen conducting highly sophisticated social engineering attacks aimed at software development and aerospace manufacturing companies including targeting educational institutions to exfiltrate data of interest to the North Korean government. Moonstone Sleet uses malicious payloads impersonating valid software as a means of compromising victim devices and conducting further reconnaissance within the target environment.

 

THREAT ACTOR STRATEGIC SUMMARY 

Tracked Aliases

Storm-1789

Geolocation

North Korea

Primary Motivation

Nation state sponsored espionage with a secondary financial objective

Primary Targets

Education, Software Development, Government, Aerospace Manufacturing

Affiliated Groups

Diamond Sleet, Lazarus Group

Initial Activation

August 2023


THREAT ACTOR TACTICAL SUMMARY 

Initial Access

Social engineering tactics to deploy malware loaders posing as legitimate software such as PuTTY or indie games

Malware Deployment

Malware loaders posing as legitimate files use curl commands to deploy payloads such as SplitLoader and YouieLoad for further compromise, or ransomware packages such as FakePenny

Lateral Movement

Lateral movement is limited but often done through compromised valid accounts

Impact

Moonstone Sleet has been seen pursuing both espionage efforts as well as more traditional ransomware for financial gain

 

THREAT ACTOR IOCs


A commonly observed tactic of Moonstone Sleet is to create fake companies and reach out to targets in order to conduct malware deployment via social engineering. The fake companies often relate to trending topics such as blockchain or AI and incorporate the creation of custom domains, social media accounts, and even employee personas to add legitimacy. Moonstone Sleet has been seen leveraging malware loaders such as SplitLoader and YouieLoad to create malicious services within the memory of compromised devices allowing for remote access and data collection/exfiltration.

 

SPLITLOADER


  • File Hashes

    • 39d7407e76080ec5d838c8ebca5182f3ac4a5f416ff7bda9cbc4efffd78b4ff5


YOUIELOAD


  • File Hashes

    • Cafaa7bc3277711509dc0800ed53b82f645e86c195e85fbf34430bbc75c39c24

    • 9863173e0a45318f776e36b1a8529380362af8f3e73a2b4875e30d31ad7bd3c1

    • 09d152aa2b6261e3b0a1d1c19fa8032f215932186829cfcca954cc5e84a6cc38

    • 70c5b64589277ace59db86d19d846a9236214b48aacabbaf880f2b6355ab526

 

MALICOUS PUTTY


  • File Hashes

    • Cb97ec024c04150ad419d1af2d1eb66b5c48ab5f345409d9d791db574981a3fb

    • F59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc5


MALICOIUS DOMAINS


  • Fake Businesses

    • ccwaterfall[.]com

    • chaingrown[.]com

    • detankwar[.]com

    • starglowventures[.]com

    • matrixane[.]com


Organizations are recommended to block relevant IOCs and update devices to address vulnerabilities.

 

How can CyberForce|Q services help you address this risk?


Our team can assist your organization with the next steps for securing your environment– reach out to solutions@cyberforceq.com.


Learn more about CyberForce|Q.



 
 
 

Comments


bottom of page