The emerging threat of a newly identified remote access Trojan (RAT), known as MoonPeak, is raising alarms in global cybersecurity circles. According to the latest research from Cisco Talos, MoonPeak has been linked to UAT-5394, a potential North Korean affiliate. The Trojan family is based on the open-source XenoRAT and has been actively improved to evade detection and enhance its functionality, pointing to mature, dedicated development efforts.
The Link to North Korea’s Kimsuky
Sharing various tactics, techniques, and procedures (TTPs) with the notorious North Korean state-sponsored group Kimsuky, UAT-5394 is gaining recognition in the landscape of cyberthreats emanating from the isolated nation. Nevertheless, it’s important to note that there’s no concrete technical evidence yet to corroborate a direct association between UAT-5394 and Kimsuky. The observed overlap in operational patterns, however, presents the feasible scenario that UAT-5394 could either be nested within Kimsuky’s ranks or be an independent actor borrowing strategies from Kimsuky’s playbook.
North Korean hackers have previously been accused of employing deceptive practices such as impersonating journalists in email communications to spy on policy experts, highlighting the nation’s growing aptitude in cyber warfare.
MoonPeak’s Evolutionary Journey
In tracing MoonPeak’s trajectory, the Trojan group was originally found to use cloud storage providers as hosts for their malicious payloads, but has since transitioned to attacker-owned servers. This switch is likely an attempted solution to mitigate risks related to service providers shutting down cloud locations.
The evolution of MoonPeak is also evident in the RAT’s software. Throughout its various versions, new layers of obfuscation and unique communication protocols have been introduced for each iteration. All these modifications, varying from namespace alterations to new compression techniques, aim to prevent unauthorized access to the malware’s command-and-control (C2) servers and thereby impede any potential analysis.
A Complicated C2 Infrastructure
During the investigation, Cisco Talos unearthed that UAT-5394 managed to build a multifaceted network of command servers and a testing setup. This reveals a high degree of organization and planning, suggesting serious intent behind the operation.
“Following our analysis of MoonPeak samples, we saw an evolution in the malware and its associated C2 components that required the threat actors to deploy variant implants on their testing structures several times. The advancing development of MoonPeak is parallel to the threat actors creating new infrastructure,” noted Cisco Talos.
According to the cybersecurity firm, the sudden expansion of infrastructure is a strong indication of the group intending to escalate its operations, becoming an increasingly notable threat to global cybersecurity. This potential connection to the well-known Kimsuky further exacerbates the concerns surrounding this nascent threat.