Moonstone Sleet

Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.[1]

ID: G1036
Associated Groups: Storm-1789
Contributors: Aung Kyaw Min Naing, @Nolan
Version: 1.0
Created: 26 August 2024
Last Modified: 01 October 2024

Associated Group Descriptions

Name Description
Storm-1789

[1]

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Moonstone Sleet registered domains to develop effective personas for fake companies used in phishing activity.[1]

.003 Acquire Infrastructure: Virtual Private Server

Moonstone Sleet registered virtual private servers to host payloads for download.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Moonstone Sleet used curl to connect to adversary-controlled infrastructure and retrieve additional payloads.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Moonstone Sleet used registry run keys for process execution during initial victim infection.[1]

Enterprise T1217 Browser Information Discovery

Moonstone Sleet deployed malware such as YouieLoader capable of capturing victim system browser information.[1]

Enterprise T1486 Data Encrypted for Impact

Moonstone Sleet has deployed ransomware in victim environments.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Moonstone Sleet delivered payloads using multiple rounds of obfuscation and encoding to evade defenses and analysis.[1]

Enterprise T1587 Develop Capabilities

Moonstone Sleet developed malicious npm packages for delivery to or retrieval by victims.[1]

.001 Malware

Moonstone Sleet has developed custom malware, including a malware delivery mechanism masquerading as a legitimate game.[1]

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Moonstone Sleet has created social media accounts to interact with victims.[1]

.002 Establish Accounts: Email Accounts

Moonstone Sleet has created email accounts to interact with victims, including for phishing purposes.[1]

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

Moonstone Sleet gathered victim email address information for follow-on phishing activity.[1]

Enterprise T1591 Gather Victim Org Information

Moonstone Sleet has gathered information on victim organizations through email and social media interaction.[1]

Enterprise T1105 Ingress Tool Transfer

Moonstone Sleet retrieved a final stage payload from command and control infrastructure during initial installation on victim systems.[1]

Enterprise T1027 Obfuscated Files or Information

Moonstone Sleet delivers encrypted payloads in pieces that are then combined together to form a new portable executable (PE) file during installation.[1]

.009 Embedded Payloads

Moonstone Sleet embedded payloads in trojanized software for follow-on execution.[1]

.013 Encrypted/Encoded File

Moonstone Sleet has used encrypted payloads within files for follow-on execution and defense evasion.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Moonstone Sleet retrieved credentials from LSASS memory.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Moonstone Sleet delivered various payloads to victims as spearphishing attachments.[1]

.003 Phishing: Spearphishing via Service

Moonstone Sleet has used social media services to spear phish victims to deliver trojainized software.[1]

Enterprise T1598 Phishing for Information

Moonstone Sleet has interacted with victims to gather information via email.[1]

.003 Spearphishing Link

Moonstone Sleet used spearphishing messages containing items such as tracking pixels to determine if users interacted with malicious messages.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Moonstone Sleet used scheduled tasks for program execution during initial access to victim machines.[1]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

Moonstone Sleet staged malicious capabilities online for follow-on download by victims or malware.[1]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Moonstone Sleet has distributed a trojanized version of PuTTY software for initial access to victims.[1]

Enterprise T1082 System Information Discovery

Moonstone Sleet has gathered information on victim systems.[1]

Enterprise T1016 System Network Configuration Discovery

Moonstone Sleet has gathered information on victim network configuration.[1]

Enterprise T1033 System Owner/User Discovery

Moonstone Sleet deployed various malware such as YouieLoader that can perform system user discovery actions.[1]

Enterprise T1569 .002 System Services: Service Execution

Moonstone Sleet used intermediate loader malware such as YouieLoader and SplitLoader that create malicious services.[1]

Enterprise T1204 .002 User Execution: Malicious File

Moonstone Sleet relied on users interacting with malicious files, such as a trojanized PuTTY installer, for initial execution.[1]

References