North Korea’s Cyber Threat Evolves With MoonPeak Malware

Cisco Talos has identified a North Korean hacking group, “UAT-5394,” using various servers to test and control its malware. They’re working with a new version of malware called “MoonPeak,” which is based on an earlier malware called XenoRAT.

In their report, published yesterday, the researchers state that MoonPeak is based on the publicly available source code for XenoRAT, which was released on GitHub around October 2023.

Although MoonPeak retains many of the original XenoRAT’s functionalities, Cisco Talos’ analysis has identified consistent changes across its variants, indicating that the threat actors are independently modifying and evolving the code beyond the open-source version.

While MoonPeak shares some similarities with malware used by a known North Korean group called “Kimsuky,” Cisco Talos states they don’t have enough evidence to confirm a direct link between them.

The researchers suggest that new malware raises two main possibilities. First, UAT-5394 might be Kimsuky or a subgroup of Kimsuky that is replacing their old malware with MoonPeak.

Alternatively, UAT-5394 could be a different North Korean group that is using similar techniques and infrastructure to Kimsuky.

For now, Cisco Talos has decided to treat UAT-5394 as a separate group until they have more evidence to connect them to Kimsuky or confirm them as a unique group within North Korea’s hacking operations.

Cisco Talos’ researchers also revealed that the group is using special servers to test and update MoonPeak. Cisco Talos suggests that the group uses these servers to download and control the malware and often accesses them through VPNs to manage and update their malware.

Furthermore, Cybersecurity News reports that the XenoRAT malware has undergone several modifications by its creators, including changes to the client namespace, communication protocol, and obfuscation techniques.

These updates are designed to enhance evasion tactics and prevent unwanted clients from interacting with the command and control (C2) infrastructure.

According to The Cyber Express, the researchers noted a significant change in the actor’s tactics in June 2024. They shifted from using legitimate cloud storage providers to hosting malicious payloads on systems and servers that they now own and control.

TCE suggests that this move was likely aimed at protecting their operations from potential shutdowns by cloud service providers.

Finally, Cybersecurity News points out that the rapid pace of these changes reflects the group’s efforts to expand its campaign quickly while setting up more drop points and C2 servers.