Ransomware, Threat Intelligence, Malware

North Korea’s ‘Moonstone Sleet’ targets victims with malicious tools

North Korea flag with circuitry and fingerprint

A new threat actor aligned with the North Korean government called "Moonstone Sleet" was observed using tried-and-true social-engineering tactics, as well as evolving to leverage its own tactics, techniques and procedures.

In a May 28 blog post, Microsoft Threat Intelligence said Moonstone Sleet was setting up fake companies that then engage with potential targets, execute trojanized versions of legitimate tools, create malicious games, and deliver new custom ransomware.

Moonstone Sleet’s primary goals are espionage and revenue generation. The threat actor has targeted individuals and organizations in the software and information technology, education and defense industrial base sectors.

As an example of how the threat group operates, the Microsoft researchers said from January to April, a Moonstone Sleet fake company called "StarGlow Ventures" posed as a legitimate software development company and used a custom domain, fake employee personas, and social media accounts in an email campaign that targeted thousands of organizations in the education and software development sectors.

Threat actors pursue legitimate remote IT jobs

Along with setting up fake companies, Microsoft observed Moonstone Sleet actors pursuing employment as software developers at numerous legitimate companies. The researchers said this was potentially consistent with previous reporting from the U.S. Department of Justice that North Korea was using highly skilled remote IT workers to generate revenue, or it may serve as yet another approach to gaining access to potential victim organizations.

Adam Neel, threat detection engineer at Critical Start, added that the most standout tactic from Moonstone Sleet is its extensive use of social engineering. Neel said they appear to target developers and hope to trick them into running one of the various malware loaders they have developed. They even go as far as to set up fake companies, creating websites to sell the lie. Neel said leveraging these fake companies has let the threat actor fool developers into downloading "skills tests" that are actually just malicious NPM packages.

Another goal of Moonstone Sleet is to infiltrate companies by having some of their own developers hired, said Neel. While they are actively pursuing employment, he said there isn't confirmation of their developers being hired yet.

“It’s important for companies to stay vigilant, and perform background checks on all employees to confirm they are who they say they are,” said Neel. “To address the growing sophistication of threats, companies and individuals need to continue to use security best practices. Phishing and social engineering are only getting more advanced, so it is important to perform training and ensure social-engineering attempts can be thwarted.”

The attacks by Moonstone Sleet highlight the need for comprehensive background checks, detailed screening processes, and ongoing employee monitoring, said Steve Boone, head of product growth at Checkmarx.

“Companies must find a balance between tight security measures and the current talent shortage,” said Boone. “Establishing strong internal security protocols and promoting a culture of security awareness are essential to address such threats."

Moonstone Sleet's ability to blend traditional cybercriminal methodologies with those of nation-state actors is particularly alarming, said Adam Gavish, co-founder and CEO at DoControl. The threat actor’s multifaceted strategies — ranging from setting up fake companies to deliver custom ransomware to using compromised tools for direct infiltration — showcase a versatility that complicates defensive measures.

“One tactic that stands out is Moonstone Sleet’s use of trusted platforms such as LinkedIn, Telegram, and developer freelancing websites to target victims,” said Gavish. “This exploits the inherent trust associated with these platforms, making it easier for them to trick victims into interacting with malicious content.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.