North Korea’s ‘Moonstone Sleet’ using fake tank game, custom ransomware in attacks

A new North Korean hacking group is targeting software companies and defense firms with custom ransomware variants and several elaborate scams.

Microsoft said this week that the hacker group it tracks as “Moonstone Sleet” is using several new tactics not previously seen among North Korean groups.

The group has targeted individuals as well as organizations involved in the IT, education and defense industrial base sectors, according to the report.

In April, researchers with the tech giant observed members of the group using a ransomware variant called “FakePenny” against a company it had previously hacked in February. 

“Although North Korean threat actor groups have previously developed custom ransomware, this is the first time we have observed this threat actor deploying ransomware,” the researchers said.  

“Microsoft assesses that Moonstone Sleet’s objective in deploying the ransomware is financial gain, suggesting the actor conducts cyber operations for both intelligence collection and revenue generation. Of note, the ransomware note dropped by FakePenny closely overlaps with the note used by Seashell Blizzard in its malware NotPetya.”

While most North Korean ransomware campaigns in the past involved relatively small ransom demands, this specific incident saw the hackers issue a $6.6 million demand. 

Microsoft said it saw Moonstone Sleet compromise a defense technology company in December, giving the hackers access to credentials and intellectual property. Those same hackers then used the FakePenny ransomware in April.

Similar incidents involving a drone technology firm and a company that produces aircraft parts have been witnessed by Microsoft researchers over the last year.  

Tank games and malware

In addition to the new strain of ransomware, Microsoft tracked multiple other tactics used by North Korean threat actors in recent months that drew their concern. 

The company has been tracking a campaign since February that involved a tank game called “DeTankWar.” Hackers contacted victims by email or on social media claiming to be a game developer looking for investors. 

They created a web of fake websites and social media accounts to make the game look legitimate and used a fake company called C.C. Waterfall to contact targets. 

They included a download link in each message, which when clicked loads malware onto the device, allowing the hackers to steal browser data and gain other information on the victim’s network. Microsoft noted that when successful, hackers will take further direct action to search for credentials and other data.

The Microsoft blog lists dozens of other new malware strains, fake companies and fictitious job opportunities that the North Korean group uses to lure victims. 

Several fake companies purporting to be software development and IT businesses related to blockchain or AI were used to reach out to targets. One fake company — StarGlow Ventures — was used in a campaign specifically aimed at breaching organizations involved in education or software development. 

“These emails also contained a 1×1 tracking pixel, which likely enabled Moonstone Sleet to track which targets engaged with the emails, and a link to a dummy unsubscribe page hosted on the StarGlow Ventures domain,” Microsoft said.

“While the emails did not contain any malicious links, Microsoft assesses Moonstone Sleet likely used this campaign to establish a relationship with target organizations. Although the purpose of these relationships is unclear, they may afford the actor access to organizations of interest or be used as revenue generation opportunities. Microsoft notified customers who were impacted by this Moonstone Sleet campaign.”

Moonstone Sleet was also seen attempting to get hackers employed at multiple legitimate software development companies. Two weeks ago, the U.S. Justice Department arrested two people and sanctioned three others for running a fraudulent remote work operation that netted North Korea nearly $7 million. 

Experts at Microsoft found significant overlap between Moonstone Sleet’s tactics and other North Korean groups. 

Microsoft initially found the group reusing the malware and infrastructure of Diamond Sleet — another North Korean group tracked by Microsoft — but in the last few months has seen the group shift to using its own tools. 

It said it directly notified customers that have either been targeted or compromised. 

The campaigns stood out to Microsoft “not only because of their effectiveness, but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives.”

Microsoft also warned that the expanded use of ransomware was concerning because it illustrates that North Korean actors are seeking to develop the ability to launch disruptive operations. The fact that there are multiple North Korean operations all running at the same time also shows that the groups are “well-resourced.”

“While Microsoft has not yet identified any Moonstone Sleet supply chain attacks, the actor has extensively targeted software development firms in its campaigns,” the researchers warned. 

“Large-scale access to software companies would pose a particularly high risk for future supply chain attacks against those organizations.”