North Korean threat actor behind new ransomware

A relatively new group of North Korean cybercriminals has been found deploying FakePenny ransomware.

In a security blog, Microsoft has revealed some of the tactics being used by a relatively new group of cybercriminals operating out of North Korean, that it calls Moonstone Sleet (formerly Storm-1789).

The group has been using many tactics refined by other North Korean groups and is notable for its use of ransomware. Although ransomware suggests the group is financially motivated, this doesn’t mean that it isn’t state backed. As the Cybersecurity and Infrastructure Security Agency (CISA) pointed out in its 2023 North Korea Cyber Threat Overview and Advisories,  “recent North Korean state-sponsored cyber activity includes the launching of ransomware campaigns.”

Microsoft says that it observed Moonstone Sleet delivering a new custom ransomware variant named FakePenny against a company it had previously compromised in February.

Some of the methods the group is using to deliver malware and steal funds are:

  • Delivering a trojanized version of PuTTY, an open-source terminal emulator, on platforms like LinkedIn and Telegram as well as developer platforms. Microsoft noticed several custom malware loaders delivered by these PuTTY executables.
  • Targeting potential victims with projects that used malicious Node Package Manager (npm) packages spread on developer platforms and LinkedIn. Microsoft collaborated with GitHub to identify and remove repositories associated with this activity.
  • Offering a malicious tank game it developed called DeTankWar (aka DeFiTankWar, DeTankZone, or TankWarsZone). Potential victims are approached on messaging platforms or by email, seeking investment or developer support.

Other tactics to gain the trust of organizations with the likely objective to infiltrate them later are much harder to spot. The group created several fake companies impersonating software development and IT services, typically relating to blockchain and AI. For example, StarGlow Ventures, a fake software development company that sent emails to target companies, complimenting them on their work and offering collaboration and support for upcoming projects, saying they could provide expertise in the development of web apps, mobile apps, blockchain, and AI.

Or “CC Waterfall”, a fake company which emailed higher education organizations, claiming the company was either hiring new developers or looking for business collaboration opportunities.

Another observed activity with the same goals in mind was outsourcing highly skilled remote IT workers, which could both be used to generate revenue and possibly gain access to organizations of interest.

Moonstone Sleet is not too lazy to create a credible online profile for the fake companies—one that can survive more than a quick check on social media, so that’s certainly not enough. Especially in the outlined verticals, it’s important to thoroughly check the companies that offer to partner with your organization.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.