August 21, 2024 at 12:36PM
A new remote access trojan called MoonPeak is being used by a state-sponsored North Korean threat activity cluster in a new campaign. This variant of Xeno RAT malware is developed to access and set up new infrastructure to support the campaign, with constant evolution and obfuscation techniques to prevent analysis. The campaign aims to rapidly proliferate and set up more drop points and C2 servers.
Based on the meeting notes, here are the main takeaways:
– A new remote access trojan called MoonPeak has been discovered and is being used by a state-sponsored North Korean threat activity cluster as part of a new campaign.
– MoonPeak is a variant of the open-source Xeno RAT malware, with the ability to load additional plugins, launch and terminate processes, and communicate with a command-and-control (C2) server.
– The development and deployment of MoonPeak involve new infrastructure, including C2 servers, payload-hosting sites, and test virtual machines, to support the campaign.
– The threat actors have shifted from using legitimate cloud storage providers to setting up their own servers, introducing more obfuscation techniques and changes to the communication mechanism with each new version of the malware.
– The group responsible for MoonPeak, known as UAT-5394, continues to add and enhance tooling into their arsenal and aims to rapidly proliferate the campaign by establishing new supporting infrastructure and set up more drop points and C2 servers.