A new hacking group with a surprisingly large toolkit is using everything from fake job tests to a bogus tank battle game to target software developers and others as part of a wide-ranging series of attacks.
The group, dubbed ‘Moonstone Sleet’ by Microsoft, which has been tracking the attacks, seems to have two main goals - espionage and financial gain, and is throwing the net wide in its attempts at both.
So far it has targeted individual software developers but also tech companies, education, and defense firms. What’s unusual about the group is that it has a very wide set of techniques which it uses to target potential victims.
Microsoft said the group is backed by North Korea. When it was first spotted, there was a lot of overlap between Moonstone Sleet and other North Korea-backed hacking groups; since then it has shifted to its bespoke infrastructure and attacks.
“Moonstone Sleet has an expansive set of operations supporting its financial and cyber espionage objectives. These range from deploying custom ransomware to creating a malicious game, setting up fake companies, and using IT workers,” Microsoft said.
Microsoft said it had seen, for example, the hackers using a trojanized version of PuTTY, an open-source terminal emulator, via apps like LinkedIn and Telegram as well as developer freelancing platforms. It has also observed the group attempting to use malicious npm packages.
In one case, the attackers used a fake company to send .zip files invoking a malicious npm package under the guise of a technical skills assessment for software developers looking for work.
Moonstone Sleet has been duping developers
Since February 2024, Microsoft has observed the group infecting devices using a malicious tank game it developed called DeTankWar.
The group presents itself as a game company seeking investment or developer support, and either masquerades as a legitimate blockchain company or uses fake companies to bolster its story.
The group presents the tank game as a blockchain-related project. But if potential victims, such as software developers looking for projects to work on, take the bait and download the game, they will also be downloading a custom malware loader which creates malicious services that perform functions such as network and user discovery and browser data collection.
If they manage to compromise a device of particular interest to the group, the attackers will then take a more hands-on approach to dig in further and steal credentials.
Microsoft said that in April 2024, Microsoft also spotted the group delivering a new custom ransomware variant it has named FakePenny against a company that the hackers had previously compromised in February. The ransom demand was for $6.6 million in Bitcoin.
Although North Korean hacking groups have previously developed custom ransomware, Microsoft said this is the first time it had observed this threat actor deploying ransomware. That suggests the group is conducting its attacks both intelligence collection and revenue generation.
As well as the tank game, this year Microsoft has observed Moonstone Sleet creating several fake companies impersonating software development and IT services, usually involved with fashionable projects like blockchain and AI.
The group has posed as a software development company with its own custom domain, fake employees, and social media accounts, in an email campaign targeting thousands of organizations in the education and software development sectors. It offered to collaborate on upcoming projects, citing expertise in the development of web apps, mobile apps, blockchain, and AI.
It's not clear what the payoff is for this campaign: most likely it’s to gain access to companies that might be of interest for espionage or to make money – or both.
In a similar campaign, Moonstone Sleet sent emails using its fake IT consulting company C.C. Waterfall to higher education organizations, claiming the company was either hiring new developers or looking for business collaboration opportunities.
Moonstone Sleet also used C.C. Waterfall to contact targets and invite them to download the tank game, showing how the group can use different assets in overlapping campaigns.
Corporate infiltration techniques
The group has also been seen pursuing employment in software development positions at multiple legitimate companies. This activity could be consistent with previous warnings from the US Department of Justice that North Korea was using highly skilled remote IT workers to generate revenue.
Defense is also a target. In early December last year Microsoft spotted the group compromising a defense technology company to steal credentials and intellectual property.
In April 2024, the actor ransomed the organization using FakePenny. The same month, it also spotted the hackers compromise a company that makes drone technology; the month before it had compromised a company that makes aircraft parts.
Microsoft said this group’s campaigns are notable because they represent an evolution of North Korean tactics. For example, North Korea has for many years used a group of remote IT workers to generate revenue for the regime.
“Moonstone Sleet’s pivot to conduct IT work within its campaigns indicates it may not only be helping with this strategic initiative, but possibly also expanding the use of remote IT workers beyond just financial gain,” Microsoft said. Meanwhile the addition of ransomware to its playbook suggests it may be expanding its set of capabilities to enable disruptive operations.
Another concern is that North Korea’s hackers have already used software supply chain attacks, and Moonstone Sleet has already been seen targeting software development firms in its campaigns.
“Large-scale access to software companies would pose a particularly high risk for future supply chain attacks against those organizations,” Microsoft warned.
