Critical Infrastructure Security, Threat Intelligence

Defenders get a MoonPeak at North Korea’s malware backbone

North Korean remote IT worker scam

A recently launched attack from North Korea is giving researchers an inside look to how the regime’s hackers operate.

The team from Cisco Talos said that an attack dubbed “MoonPeak” has shed light on how the Hermit Kingdom’s hacking team might be running its various operations and what structure it uses as a common backbone.

The attack itself is a relatively normal attempt to infect spear-phished machines with remote control and monitoring software that will harvest activity on infected machines.

What stood out for researchers, however, was the way the MoonPeak malware collected and uploaded its pillage. Researchers with Cisco Talos said that the infection shares a great deal of its activity with that of other North Korean infections.

“Talos’ research has uncovered the testing and staging infrastructure used to create new iterations of MoonPeak,” the Cisco Talos team explained.

“The C2 server hosts malicious artifacts for download, which is then used to access and set up new infrastructure to support this campaign. In multiple instances, we also observed the threat actor access existing servers to update their payloads and retrieve logs and information collected from MoonPeak infections.”

Unlike other cyberespionage operations that focus on data theft or network destruction, North Korean hackers tend to focus their efforts on account theft and financial movements, a reflection of the banking embargoes against the pariah state.

As a result, most North Korean hacking operations are focused on either financial account theft or direct espionage.

At the same time, the country has limited access to technology via its handful of international allies who themselves might be operating with pirated tech. At some point this creates ambiguity on what is state-sponsored and what is the act of a private entity.

This led the researchers to ask whether the MoonPeak malware infection is part of a larger effort by North Korea to gather intel on Western nations. Research into the MoonPeak infection has traced back the addresses of command and control servers that were associated with a North Korean hacking operation labeled UAT-5394 or “Kimusky” depending on your employer.

While most people can draw a clear connection, the researchers stopped short of connecting the campaigns, barring concrete evidence.

“This cluster of activity has some overlaps in tactics, techniques and procedures (TTPs) and infrastructure patterns with the North Korean state-sponsored group Kimusky" they said.

“However, we do not have substantial technical evidence to link this campaign with the APT.”

Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds