New MoonPeak RAT Linked to North Korean Threat Group UAT-5394

Security

A newly discovered remote access Trojan (RAT) family, MoonPeak, has been linked to a North Korean-affiliated threat group known as UAT-5394.

This sophisticated malware, based on the open-source XenoRAT, is undergoing active development, showcasing significant enhancements aimed at evading detection and improving functionality, according to recent research from Cisco Talos.

Connection to Kimsuky

UAT-5394, an emerging player in the North Korean cyber threat landscape, shares certain tactics, techniques and procedures (TTPs) with the more established North Korean state-sponsored groupKimsuky

Although there is no conclusive technical evidence to link UAT-5394 directly to Kimsuky, the overlap inoperational patterns raises the possibility that UAT-5394 could either be a subgroup within Kimsuky or another entity borrowing from Kimsuky’s playbook.

Read more on North Korean cyber-threats: North Korean Hackers Spoofing Journalist Emails to Spy on Policy Experts

Evolution of MoonPeak Malware

Regardless of the connection, the group was initially observed utilizing cloud storage providers for hosting malicious payloads but has since moved to attacker-controlled servers, likely to mitigate risks associated with the shutdown of cloud locations by service providers.

The MoonPeak malware has also evolved through multiple versions, each iteration introducing new layers of obfuscation and unique communication protocols.

These modifications, which include changes to the malware’s namespace and compression techniques, are designed to avoid analysis and prevent unauthorized access to the malware’s command-and-control (C2) servers.

Complex C2 Infrastructure

The research also revealed that UAT-5394 has established a complex network of C2 servers and testing infrastructure, indicating a high level of organization and planning.

“An analysis of MoonPeak samples reveals an evolution in the malware and its corresponding C2 components that warranted the threat actors deploy their implant variants several times on their test machines. The constant evolution of MoonPeak runs hand-in-hand with new infrastructure set up by the threat actors,” Cisco Talos explained.

The security firm also mentioned that the rapid expansion of infrastructure indicates the group’s intent to scale its operations, posing a growing threat to global cybersecurity. The potential connection to Kimsuky amplifies the concern surrounding this emerging threat.

Products You May Like

Articles You May Like

US Organizations Still Using Kaspersky Products Despite Ban
CISA and EPA Warn of Cyber Risks to Water System Interfaces
Sophisticated TA397 Malware Targets Turkish Defense Sector
Italy’s Data Protection Watchdog Issues €15m Fine to OpenAI Over ChatGPT Probe
DeceptionAds Delivers 1M+ Daily Impressions via 3,000 Sites, Fake CAPTCHA Pages

Leave a Reply

Your email address will not be published. Required fields are marked *