A recent attack from North Korea gives researchers insight into the regime’s hackers’ tactics.
The Cisco Talos team said an attack called “MoonPeak” shed light on how the Hermit Kingdom hacking team conducts its various operations and what structure it uses as a common backbone.
The attack itself is a relatively standard attempt to infect computers infected by spear phishing with remote control and monitoring software that records the activities on the infected computers.
What caught researchers’ attention, however, was the way the MoonPeak malware collected and uploaded its loot. Researchers at Cisco Talos said the infection shares many activities with those of other North Korean infections.
“Talos research uncovered the testing and staging infrastructure used to build new iterations of MoonPeak,” the Cisco Talos team explained.
“The C2 server hosts malicious artifacts for download, which are then used to access and deploy new infrastructure to support this campaign. In several cases, we have also observed the threat actor accessing existing servers to update its payloads and retrieve logs and information collected from MoonPeak infections.”
Unlike other cyber espionage operations that focus on data theft or network disruption, North Korean hackers tend to focus their efforts on account theft and financial movement, a reflection of the banking embargo against the pariah state.
For this reason, most North Korean hacking attacks focus on either stealing bank accounts or outright espionage.
At the same time, the country has limited access to technology through its few international allies, who may themselves be engaged in pirated software. At some point, this leads to confusion about what is state-sponsored and what is the action of a private company.
This led researchers to wonder whether the MoonPeak malware infection is part of a larger effort by North Korea to collect intelligence on Western countries. Research into the MoonPeak infection has traced the addresses of command and control servers linked to a North Korean hacking operation dubbed UAT-5394 or “Kimusky,” depending on the employer.
While there is a clear connection for most people, researchers were unable to link the two campaigns because they lacked concrete evidence.
“This cluster of activities shares some overlap in tactics, techniques, and procedures (TTPs) and infrastructure patterns with the North Korean state-sponsored Kimusky group,” they said.
“However, we do not have significant technical evidence to link this campaign to the APT.”
