August 23, 2024 at 05:12PM
A new version of XenoRAT malware called MoonPeak, with ties to North Korea’s Kimsuky group, is actively evolving and deploying complex infrastructure for command and control. It exhibits functional changes from the original XenoRAT, making detection challenging. Cisco Talos discovered the variant, analyzing its code modifications, infrastructure changes, and connections to known threat actors.
From the meeting notes, it is clear that a threat actor connected to North Korea’s Kimsuky group is distributing a new version of the XenoRAT malware, known as MoonPeak. This variant is actively being developed and has been evolving over the past few months, making it challenging to detect and identify.
Cisco Talos researchers have observed modifications to the MoonPeak variant, indicating that the threat actors are independently evolving the code from the open-source version. These modifications include changes to the client namespace, obfuscation of the malware, and continuous tweaks to its infrastructure.
The threat actor has also shifted its hosting of payloads from public cloud services to privately owned and controlled systems for command and control (C2), staging, and testing of the malware. Additionally, there are indications of connectivity with other known malware tools associated with the Kimsuky group, suggesting a broader threat landscape.
Overall, the meeting notes highlight the complex and evolving nature of the MoonPeak malware, as well as the tactics used by the threat actor to make detection and identification more challenging.