A never-before-seen North Korean threat actor codenamed Moonstone Sleet has been attributed as behind cyber attacks targeting individuals and organizations in the software and information technology, education, and defense industrial base sectors with ransomware and bespoke malware previously associated with the infamous Lazarus Group.
“Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a malicious game, and deliver a new custom ransomware,” the Microsoft Threat Intelligence team said in a new analysis.
It also characterized the threat actor as using a combination of tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to meet its strategic objectives.
The adversary, hitherto tracked by Redmond under the emerging cluster moniker Storm-1789, is assessed to be a state-aligned group that originally exhibited strong tactical overlaps with the Lazarus Group (aka Diamond Sleet), before establishing its own distinct identity through separate infrastructure and tradecraft.
The similarities with Lazarus include extensively reusing code from known malware such as Comebacker, which was first observed in January 2021 in connection with a campaign targeting security researchers working on vulnerability research and development.
Comebacker was put to use by the Lazarus Group as recently as this February, embedding it within seemingly innocuous Python and npm packages to establish contact with a command-and-control (C2) server to retrieve additional payloads.
Source: The Hacker News