Details of the Story
As reported by Dark Reading, a sophisticated threat actor, believed to be connected to North Korea’s infamous Kimsuky group, is actively deploying a new and constantly evolving variant of the XenoRAT information-stealing malware, according to a recent report by Cisco Talos researchers. This variant, dubbed “MoonPeak,” has been linked to a complex infrastructure of command-and-control (C2) servers, staging systems, and test machines, making it increasingly challenging for cybersecurity experts to detect and identify.
MoonPeak, while retaining much of the original XenoRAT’s capabilities, has undergone consistent modifications that indicate the threat actors are independently evolving the malware.
XenoRAT, the malware upon which MoonPeak is based, is an open-source Trojan written in C# that was released for free on GitHub last October. The malware boasts several potent features, including keylogging, User Access Control (UAC) bypass, and a Hidden Virtual Network Computing function, which allows attackers to control a compromised system without the victim’s knowledge.
Cisco Talos has tracked the activity of a threat actor group it designates as UAT-5394, which has been deploying MoonPeak in attacks throughout this year. The group’s tactics, techniques, and procedures (TTPs), as well as its infrastructure, show significant overlaps with those of the Kimsuky group, a North Korean APT known for its espionage operations targeting various sectors, particularly nuclear research.
The overlaps have led Cisco Talos to speculate that UAT-5394 could either be Kimsuky itself or another North Korean APT leveraging Kimsuky’s infrastructure. However, due to the lack of definitive evidence, Cisco Talos has opted to track UAT-5394 as an independent threat actor for now.
Cisco Talos’ analysis of MoonPeak reveals a deliberate and ongoing effort by the attackers to modify the XenoRAT code. One significant modification was the change of the client namespace from “xeno rat client” to “cmdline,” which prevents other XenoRAT variants from connecting to MoonPeak’s C2 servers. This change effectively ensures that only their specific variants can connect to their infrastructure, reducing the risk of interference from other malicious actors.
To further obfuscate the malware and complicate analysis, the threat actors have employed a computation model known as State Machines to execute the malware asynchronously. This technique disrupts the program’s flow, making it more challenging and time-consuming for analysts to reverse-engineer the malware.
Additionally, in response to a recent disclosure by AhLabs regarding an earlier XenoRAT variant used by UAT-5394, the threat actors have shifted their infrastructure. Previously relying on public cloud services to host payloads, they have now moved to privately owned systems for C2, staging, and testing purposes. This shift not only reduces the visibility of their operations but also increases the difficulty for security professionals attempting to track and mitigate their activities.
The MoonPeak variant of XenoRAT represents a significant evolution in North Korean-linked cyber threats. With its ongoing modifications and sophisticated infrastructure, MoonPeak poses a formidable challenge to cybersecurity defenses. Cisco Talos’ findings highlight the importance of continuous vigilance and adaptation in the face of increasingly advanced and persistent threat actors.
