Summary:
A new remote access trojan called MoonPeak has been discovered, being used by a state-sponsored North Korean threat group in a recent cyber campaign. Cisco Talos has attributed this campaign to a hacking group they track as UAT-5394. This group shows significant tactical overlaps with the well-known North Korean nation-state actor, Kimsuky, suggesting either a direct link or a shared toolkit within the broader North Korean cyber apparatus. MoonPeak is a variant of the open-source Xeno RAT malware, which has been previously used in phishing attacks to deliver malicious payloads through cloud services like Dropbox, Google Drive, and Microsoft OneDrive. The key capabilities of Xeno RAT, inherited by MoonPeak, include loading additional plugins, managing system processes, and communicating with a command-and-control server.

Cisco Talos researchers highlighted that UAT-5394 has developed new infrastructure specifically for this campaign. This includes new C2 servers, sites for hosting payloads, and test virtual machines to deploy and refine MoonPeak. The threat actors have been observed accessing these servers to update their malware payloads and collect data from infected systems.


Security Officer Comments:
A notable shift in this campaign is the move away from leveraging legitimate cloud storage providers for hosting malware. Instead, UAT-5394 is setting up its own servers, which allows them greater control and reduces the risk of detection. Each new iteration of MoonPeak introduces enhanced obfuscation techniques, making the malware harder to analyze and the communication methods more secure, ensuring that only specific versions of the malware can interact with their corresponding C2 servers. The researchers emphasized that the ongoing development and rapid deployment of new infrastructure by UAT-5394 indicate an aggressive expansion of this campaign. This includes establishing more drop points and C2 servers to support the spread of MoonPeak. However, the specific targets of this campaign have not yet been identified.

Suggested Corrections:
Researchers at Cisco Talos have published IOC’s for this campaign which can be used to detect and defend against the MoonPeak RAT:

https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/

Link(s):
https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/