An entity associated with North Korea’s notorious Kimsuky group is spreading a new iteration of XenoRAT, an open-source information-stealing malware, vectored through an intricate network of command-and-control (C2) servers, staging systems, and test machines.
This malware variant, known as MoonPeak according to researchers from Cisco Talos, is being meticulously cultivated and has seen multiple augmentations over the past few months. This constant evolution makes detection and identification considerably more difficult.
MoonPeak: A XenoRAT Variant
“MoonPeak encompasses most of the functionalities of the original XenoRAT. Nevertheless, we have noticed consistent modifications throughout the variants. This indicates that the threat actors are constantly modifying and advancing independent of the open-source version,” as per the observations of Asheer Malhotra, Guilherme Venere, and Vitor Venturs, researchers from Cisco Talos.
XenoRAT is a freely available, open-source malware, crafted in C#, that made its debut on GitHub last October. This Trojan carries a multitude of potent capabilities, such as keylogging, features for User Access Control (UAC) bypass, and a concealed Virtual Network Computing feature. This particular feature allows threat actors to subtly exploit a compromised system simultaneously with the victim.
Cisco Talos discerned a North Korean “nexus of threat actors”, identified as UAT-5394, deploying MoonPeak in attacks carried out earlier this year. The threat actor’s tactics, techniques, and procedures (TTPs) along with its infrastructure, share numerous similarities with the Kimsuky group, that is notoriously known for its espionage activities aimed at organizations across various sectors, prominently those dealing with nuclear weapon research and policy.
The correlations led Cisco Talos to speculate whether UAT-5394 was indeed Kimsuky in disguise, or another North Korean APT repurposing Kimsuky’s infrastructure. However, in the absence of concrete evidence, the security firm has opted to identify UAT-5394 as an independent North Korean advanced persistent threat (APT) group, for the time being.
Constant MoonPeak Modification
Research carried out by Cisco Talos indicates that the assailants have made several alterations to the XenoRAT code, while keeping many of its core functions intact. A notable modification was the change in the client namespace from “xeno rat client” to “cmdline”. This was undertaken to ensure that other XenoRAT variants could not successfully connect to a MoonPeak server.
The change in namespace safeguards their infrastructure from rogue implants and likewise prevents their own implants from connecting with out-of-the-box XenoRAT C2 servers, as detailed in the blog post.
Other alterations seem to be intended to cloak the malware and impede analysis. Examples include the utilization of a computation model known as State Machines to perform asynchronous malware execution, resulting in a less linear program flow which is harder to follow. Consequently, reverse engineering the malware becomes a more taxing and time-consuming endeavor.
Besides changes to the malware itself, Cisco Talos also observed the threat actor making continuous modifications to its infrastructure. A significant change was witnessed in early June when the threat actor ceased using public cloud services to host its payloads. Instead, it switched to privately owned and controlled systems for C2, staging, and testing.
At least two of the servers that Cisco Talos detected UAT-5394 using seemed to be linked with other malware. For instance, a known C2 server for Quasar RAT, a malware tool related to the Kimsuky group, was seen connecting with a MoonPeak server.
Investigations of MoonPeak samples showcased an evolution in the malware and its corresponding C2 components which necessitated the threat actors to roll out their implant variants several times on their test machines,” Cisco Talos researchers reported. The primary objective appears to make detection and identification more intricate, while also ensuring that specific MoonPeak variants work only with specific C2 servers.