Cisco Talos researchers have uncovered a new remote access trojan called MoonPeak, which is being used in North Korean-linked campaigns.
Researchers said that MoonPeak is a malware family evolved from the open-source XenoRAT, which has been leveraged in various attacks for logging keystrokes, executing commands and manipulating files. The source code for XenoRAT has been available on GitHub since 2023. The new malware is under active development by a state-sponsored North Korean nexus of threat actors that Cisco Talos tracks as “UAT-5394.” Many of the changes in MoonPeak variants that occurred between January and July focus on modifying the code to enable tactical evasion, improve obfuscation and thwart analysis attempts of the malware.
“MoonPeak is a remote-access-trojan (RAT) - likely used in espionage oriented attacks by UAT-5394 - that consists of a plethora of remote control and exfiltration capabilities and comes with a modular set of plugins to carry out various malicious tasks on the infected system,” said Asheer Malhotra, outreach partner with Cisco Talos, and Nick Biasini, head of outreach with Cisco Talos, in emailed comments. “The implant is a modified version of an open source remote access trojan known as XenoRAT. The key here is that the adversaries took care to make modifications that would only allow their implants to talk to their command and control servers. This is increasingly common on the threat landscape, take something somebody else wrote and modify it enough to make it custom tooling, suited for your needs.”
During their investigation into MoonPeak, researchers delved into the infrastructure behind the campaign created by threat actors for staging, command-and-control (C2) and testing the implants. Notably, over the past two months threat actors appeared to be pivoting across C2 and staging servers in order to both set up new infrastructure and modify existing servers.
"The key here is that the adversaries took care to make modifications that would only allow their implants to talk to their command and control servers."
For example, after June 11 researchers observed a “distinct shift” in the threat actor’s tactics around setting up infrastructure, moving from hosting malicious payloads on legitimate cloud storage providers to instead leverage attacker-owned servers. Researchers said this was partly due to a disclosure by AhnLab about a spear-phishing campaign that involved XenoRAT, and that threat actors were attempting to avoid shutdown by service providers.
“The C2 server hosts malicious artifacts for download, which is then used to access and set up new infrastructure to support this campaign,” said Cisco Talos researchers in a Wednesday analysis. “In multiple instances, we also observed the threat actor access existing servers to update their payloads and retrieve logs and information collected from MoonPeak infections. Apart from accessing servers from other servers, the threat actors also accessed their infrastructure from VPN nodes.”
Researchers said that the “UAT-5394” activity cluster has some TTPs and infrastructure patterns that are similar to those of Kimsuky, a well-known North Korean state-sponsored group that in the past has targeted think tanks, academic institutions and news media organizations. However, researchers don’t have enough substantial evidence to link the campaign to the APT at this time.
“We will, for the time being, consider this cluster of activity an independent campaign owned and operated under the UAT-5394 moniker until we have more intelligence to either merge this campaign into Kimsuky’s attacks or determine that UAT-5394 is, in fact, a disparate/unique group operating within DPRK’s APT machinery,” they said.