Moonstone Sleet
Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.[1]
Associated Group Descriptions
| Name | Description |
|---|---|
| Storm-1789 |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Moonstone Sleet registered domains to develop effective personas for fake companies used in phishing activity.[1] |
| .003 | Acquire Infrastructure: Virtual Private Server |
Moonstone Sleet registered virtual private servers to host payloads for download.[1] |
||
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Moonstone Sleet used curl to connect to adversary-controlled infrastructure and retrieve additional payloads.[1] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Moonstone Sleet used registry run keys for process execution during initial victim infection.[1] |
| Enterprise | T1217 | Browser Information Discovery |
Moonstone Sleet deployed malware such as YouieLoader capable of capturing victim system browser information.[1] |
|
| Enterprise | T1486 | Data Encrypted for Impact |
Moonstone Sleet has deployed ransomware in victim environments.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Moonstone Sleet delivered payloads using multiple rounds of obfuscation and encoding to evade defenses and analysis.[1] |
|
| Enterprise | T1587 | Develop Capabilities |
Moonstone Sleet developed malicious npm packages for delivery to or retrieval by victims.[1] |
|
| .001 | Malware |
Moonstone Sleet has developed custom malware, including a malware delivery mechanism masquerading as a legitimate game.[1] |
||
| Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
Moonstone Sleet has created social media accounts to interact with victims.[1] |
| .002 | Establish Accounts: Email Accounts |
Moonstone Sleet has created email accounts to interact with victims, including for phishing purposes.[1] |
||
| Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
Moonstone Sleet gathered victim email address information for follow-on phishing activity.[1] |
| Enterprise | T1591 | Gather Victim Org Information |
Moonstone Sleet has gathered information on victim organizations through email and social media interaction.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
Moonstone Sleet retrieved a final stage payload from command and control infrastructure during initial installation on victim systems.[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Moonstone Sleet delivers encrypted payloads in pieces that are then combined together to form a new portable executable (PE) file during installation.[1] |
|
| .009 | Embedded Payloads |
Moonstone Sleet embedded payloads in trojanized software for follow-on execution.[1] |
||
| .013 | Encrypted/Encoded File |
Moonstone Sleet has used encrypted payloads within files for follow-on execution and defense evasion.[1] |
||
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Moonstone Sleet retrieved credentials from LSASS memory.[1] |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Moonstone Sleet delivered various payloads to victims as spearphishing attachments.[1] |
| .003 | Phishing: Spearphishing via Service |
Moonstone Sleet has used social media services to spear phish victims to deliver trojainized software.[1] |
||
| Enterprise | T1598 | Phishing for Information |
Moonstone Sleet has interacted with victims to gather information via email.[1] |
|
| .003 | Spearphishing Link |
Moonstone Sleet used spearphishing messages containing items such as tracking pixels to determine if users interacted with malicious messages.[1] |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Moonstone Sleet used scheduled tasks for program execution during initial access to victim machines.[1] |
| Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
Moonstone Sleet staged malicious capabilities online for follow-on download by victims or malware.[1] |
| Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
Moonstone Sleet has distributed a trojanized version of PuTTY software for initial access to victims.[1] |
| Enterprise | T1082 | System Information Discovery |
Moonstone Sleet has gathered information on victim systems.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Moonstone Sleet has gathered information on victim network configuration.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
Moonstone Sleet deployed various malware such as YouieLoader that can perform system user discovery actions.[1] |
|
| Enterprise | T1569 | .002 | System Services: Service Execution |
Moonstone Sleet used intermediate loader malware such as YouieLoader and SplitLoader that create malicious services.[1] |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Moonstone Sleet relied on users interacting with malicious files, such as a trojanized PuTTY installer, for initial execution.[1] |