MoonPeak malware unveils new details on attacker infrastructure

Aug. 21, 2024, 1:29 p.m.

Description

Cisco Talos has uncovered a campaign employing a new malware family called 'MoonPeak,' a remote access trojan actively developed by a North Korean advanced persistent threat group tracked as 'UAT-5394.' The analysis reveals the evolution of MoonPeak from an open-source malware called XenoRAT, with the threat actors introducing modifications to evade detection and analysis. Talos mapped the infrastructure used in this campaign, including command and control servers, payload hosting sites, and virtual machines for testing implants, unveiling the tactics, techniques, and procedures employed by UAT-5394.

External References

https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/
https://otx.alienvault.com/pulse/66c5e57b2b143c88a3b9e9ae
Tags
north korea
xenorat
2024-08-21
quasarrat
moonpeak

Date

  • Created: Aug. 21, 2024, 1:02 p.m.
  • Published: Aug. 21, 2024, 1:02 p.m.
  • Modified: Aug. 21, 2024, 1:29 p.m.

Indicators

  • f928a0887cf3319a74c90c0bdf63b5f79710e9f9e2f769038ec9969fcc8ee329
  • facf3b40a2b99cc15eee7b7aee3b36a57f0951cda45931fcde311c0cc21cdc71
  • f4aa4c6942a87087530494cba770a1dcbc263514d874f12ba93a64b1edbae21c
  • a80a35649f638049244a06dd4fb6eca4de0757ef566bfbe1affe1c8bf1d96b04
  • b8233fe9e903ca08b9b1836fe6197e7d3e98e36b13815d8662de09832367a98a
  • 97ba8d30cf8393c39f61f7e63266914ecafd07bd49911370afb866399446f37d
  • 72a25d959d12e3efe9604aee4b1e7e4db1ef590848d207007419838ddbad5e3f
  • 8a4fbcdec5c08e6324e3142f8b8c41da5b8e714b9398c425c47189f17a51d07b
  • 6bf8a19deb443bde013678f3ff83ab9db4ddc47838cd9d00935888e00b30cee6
  • 58fdc1b6ce4744d6331f8e2efc4652d754e803cae4cc16101fc78438184995e6
  • 6a3839788c0dafe591718a3fb6316d12ccd8e82dbcb41ce40e66b743f2dd344d
  • 4599a9421e83fb0e2c005e5d9ac171305192beabe965f3385accaf2647be3e8e
  • 44e492d5b9c48c1df7ef5e0fe9a732f271234219d8377cf909a431a386759555
  • 41d4f7734fbf14ebcdf63f51093718fd5a22ec38a297c0dc3d7704a3fb48b3f9
  • 458641936e2b41c425161a9b892d2aa08d1de2bc0db446f214b5f87a6a506432
  • 3e39fc595db9db1706828b0791161440dc1571eaa07b523df9b721ad65e2369b
  • 4108c5096a62c0a6664eed781c39bb042eb0adf166fcc5d64d7c89139d525d4f
  • 2b35ef3080dcc13e2d907f681443f3fc3eda832ae66b0458ca5c97050f849306
  • 293b1a7e923be0f554ec44c87c0981c9b5cf0f20c3ad89d767f366afb0c1f24a
  • 27202534cc03a398308475146f6710b790aa31361931d4fe1b495c31c3ed54f7
  • 1ad43ddfce147c1ec71b37011d522c11999a974811fead11fee6761ceb920b10
  • 15eee641978ac318dabc397d9c39fb4cb8e1a854883d8c2401f6f04845a79b4b
  • 0ed643a30a82daacecfec946031143b962f693104bcb7087ec6bda09ade0f3cb
  • 148c69a7a1e06dc06e52db5c3f5895de6adc3d79498bc3ccc2cbd8fdf28b2070
  • 0b8897103135d92b89a83093f00d1da845a1eae63da7b57f638bab48a779808e
  • 95.164.86.148
  • 91.194.161.109
  • 84.247.179.77
  • 80.71.157.55
  • 45.95.11.52
  • 45.87.153.79
  • 27.255.81.118
  • 27.255.80.162
  • 212.224.107.244
  • 167.88.173.173
  • 210.92.18.169
  • 104.194.152.251
  • 159.100.29.122
  • yoiroyse.store
  • pumaria.store
  • nsonlines.store
  • nmailhostserver.store
Download all indicators here!

Attack Patterns

  • MoonPeak
  • XenoRAT
  • QuasarRAT
  • UAT-5394