FakePenny Ransomware Linked to North Korea’s Moonstone Sleet Group

Moonstone Sleet, identified by Microsoft as a new threat from North Korea, has carved a niche in the cyber landscape with both familiar and unique strategies aimed at financial gains and espionage. Elevated from it's formal tracking as Storm-1789, the threat group is adept at creating deceptive fronts, this group has set up numerous fake entities that mimic legitimate businesses in sectors like software development, AI, and blockchain. These fabricated companies engage unsuspecting targets across various industries including software development, education, and defense, enhancing the group's ability to infiltrate systems covertly. Through these interactions, Moonstone Sleet not only breaches defenses but also forges relationships that facilitate espionage and financial exploitation. Their arsenal includes deploying trojanized software and a custom ransomware named FakePenny, underscoring their formidable cybercrime capabilities.

Microsoft notes that Moonstone Sleet shares several operational tactics with Diamond Sleet (aka Lazarus Group, Labyrinth Chollima), reflecting a continuity in their cyber espionage efforts. Initially, Moonstone Sleet heavily reused Diamond Sleet's malware and methodologies, notably utilizing social media platforms to distribute trojanized applications. Over time, however, Moonstone Sleet developed its own infrastructure, marking a pivotal shift towards independent operations. This evolution highlights their adaptability and sustained threat presence. Microsoft observes, "Moonstone Sleet’s ability to conduct concurrent operations across multiple campaigns suggests this threat actor may be well-resourced."

Moonstone Sleet’s technical strategies are sophisticated, including the distribution of a trojanized version of PuTTY. This attack vector commences when targets are enticed via platforms like LinkedIn and developer freelancing sites to download a seemingly benign .zip file. This file contains a modified version of putty.exe and a url.txt file with a specific IP address and password. When entered into the trojanized PuTTY, it activates an embedded malicious payload that decrypts and executes further malicious stages. The infection chain progresses as the initial trojanized application launches an embedded payload; followed by the SplitLoader installer, which installs additional payloads onto the disk, including a DLL executed via scheduled tasks or registry keys for persistence. This loader then pulls further encrypted payloads from a C2 server, decrypting and executing them to deepen the system compromise.

Moreover, Moonstone Sleet utilizes deceptive npm packages and counterfeit games to deliver malware, demonstrating their diverse tactics for launching cyber attacks. Their use of the FakePenny ransomware introduces a heightened dual-threat approach, aiming for financial extortion and strategic disruption. Notably deployed in a high-stakes attack demanding millions in ransom, this indicates the significant impact and critical nature of their operations, aimed at securing financial gains and potentially gathering intelligence during the attack. Microsoft highlights the ransomware note utilized by FakePenny as showing "close overlaps" with the note dropped by NotPetya malware.

The rise of Moonstone Sleet as a formidable and sophisticated cyber threat aligns with North Korea’s strategy of integrating cyber operations into national objectives, merging traditional espionage with financially motivated attacks.