Utilizing new infrastructure—such as test virtual machines, payload-hosting websites, and C2 servers—that has been developed to generate new MoonPeak versions is essential to the campaign's success. Malicious artifacts are available for download from the C2 site, and they are used to access and establish new infrastructure to assist this campaign.

Researchers also saw the threat actor accessing live systems on several occasions to update payloads and obtain logs and data gathered from MoonPeak infections. This change is seen to be a part of a larger trend away from using reputable cloud storage providers and toward building their own servers. Having stated that, the campaign's objectives are unknown at this time.

It is crucial to remember that MoonPeak is constantly evolving in tandem with the threat actors' new infrastructure and that every malware version adds new obfuscation techniques to thwart analysis and modifications to the overall communication mechanism to prevent unauthorized connections. In other words, the threat actors made sure that particular MoonPeak versions only function with particular C2 server variations.

The regular adoption of new malware and its development, as demonstrated by MoonPeak's example, demonstrate how UAT-5394 keeps enhancing and adding new tools to its toolbox. UAT-5394's quick establishment of new supporting infrastructure suggests that the group's goal is to quickly expand this campaign and install additional C2 servers and drop locations.

Impact

• Unauthorized Remote Access
• Data Theft

Indicators of Compromise

Domain Name

• yoiroyse.store
• pumaria.store
• nmailhostserver.store
• nsonlines.store

IP

• 167.88.173.173
• 95.164.86.148
• 80.71.157.55
• 84.247.179.77
• 45.87.153.79
• 45.95.11.52
• 104.194.152.251
• 27.255.81.118
• 212.224.107.244
• 27.255.80.162
• 210.92.18.169
• 91.194.161.109

MD5

• ca005ebe9454f30c2cedd73080677f56
• 2a40543f5b4b8cc1f4bd8993df44708e
• 3c8ce3a7ac8ef626f10c8128e5892f0b
• 535f59bc95fe3efc22abf5036c60ade0
• 9924b24434e2d92d0fc3b683006cbad1
• dd4ca3ea5c13241be3cc4f7f64a7c05c
• 60e8ed6c37e1fe9742a49916e07002e5
• 48c5ea8f01e77182808842886127586f
• ee1dca47840fbab6d8956ef97f352496
• 1c80fb45a89106369e1b47b1b0ccb38a
• d3dd07f2454b9c81d9d16e65d6f24000
• 0692c60aafb06f7f8e4e34e1b381a3fa
• 571c577595223518fd5a3ee8b36928d7
• a470afe2f7176694553158bcd3decb53
• e8ab7a58f35cae486d61c94910faa4fa
• fcbc07e56f496e836c29833b89a23fce
• 01647ac5a7c19a75766cd82c46836c91
• 83f90f7266796420c0b96fe58ecbe6c3
• 89f79e0c7c53d0b5dc18adab9e8985be
• 56014bf3871d237f40dda46fcf5fff94
• a614eea9f0137a3176076269d6851aa6

SHA-256

• 0b8897103135d92b89a83093f00d1da845a1eae63da7b57f638bab48a779808e
• 2b35ef3080dcc13e2d907f681443f3fc3eda832ae66b0458ca5c97050f849306
• 4108c5096a62c0a6664eed781c39bb042eb0adf166fcc5d64d7c89139d525d4f
• 44e492d5b9c48c1df7ef5e0fe9a732f271234219d8377cf909a431a386759555
• 4599a9421e83fb0e2c005e5d9ac171305192beabe965f3385accaf2647be3e8e
• 58fdc1b6ce4744d6331f8e2efc4652d754e803cae4cc16101fc78438184995e6
• 97ba8d30cf8393c39f61f7e63266914ecafd07bd49911370afb866399446f37d
• a80a35649f638049244a06dd4fb6eca4de0757ef566bfbe1affe1c8bf1d96b04
• b8233fe9e903ca08b9b1836fe6197e7d3e98e36b13815d8662de09832367a98a
• f4aa4c6942a87087530494cba770a1dcbc263514d874f12ba93a64b1edbae21c
• facf3b40a2b99cc15eee7b7aee3b36a57f0951cda45931fcde311c0cc21cdc71
• 6a3839788c0dafe591718a3fb6316d12ccd8e82dbcb41ce40e66b743f2dd344d
• 148c69a7a1e06dc06e52db5c3f5895de6adc3d79498bc3ccc2cbd8fdf28b2070
• 1ad43ddfce147c1ec71b37011d522c11999a974811fead11fee6761ceb920b10
• 458641936e2b41c425161a9b892d2aa08d1de2bc0db446f214b5f87a6a506432
• 8a4fbcdec5c08e6324e3142f8b8c41da5b8e714b9398c425c47189f17a51d07b
• 6bf8a19deb443bde013678f3ff83ab9db4ddc47838cd9d00935888e00b30cee6
• 72a25d959d12e3efe9604aee4b1e7e4db1ef590848d207007419838ddbad5e3f
• 15eee641978ac318dabc397d9c39fb4cb8e1a854883d8c2401f6f04845a79b4b
• 3e39fc595db9db1706828b0791161440dc1571eaa07b523df9b721ad65e2369b
• 27202534cc03a398308475146f6710b790aa31361931d4fe1b495c31c3ed54f7

SHA-1

• 8c1249d410a42319aa24cb9bdc0ab2cf4bca4342
• d0faaa55ee1613a952440dbc0c2f13012d1ecc5c
• dcf6ee88ec353d3dda02f463f0d359c1bd4d46b9
• 2ab49cbc1f4518e3368712a960c49a3e24975351
• af1c0acd817a53e9ec1c8cd081cd3b112205e2ec
• 308977be2f37a7940f2b2430a49e23d87fa10524
• 1f2fa02f4e71b27700888cee750d4681bd858b2a
• 04df94756f81b46905d9a8ec76fdaa00fdeb072b
• 7c837e382597a42244002062a6adf1f71417fbbe
• 3bcd12cad32505d5b59acabf2e511942cb15a611
• a896a8140562c9e93828320d2a198a6dc24a453e
• 7757cf6bd16a975d120156ebaec2317b5dc7c9ef
• 3495faeddcc98fc770bb9b275314234c8aae8502
• 2092423079ac375a59cd3cb320ca6d21d6732ed6
• 63e9a16b0f4e7d8b290b95aec4cf3773f6e001df
• 0eb6b3fa6f054d46158133c89df5eb5b30a37dfb
• 741fc4c4348a397e9671f4e78538ee9f8ba855e4
• 2ee8d2adc5ba6cc40d0ae462a5a005160dc6b8b2
• a9f3ecdef0ba75dc840a6ef50c69eac6d7f03baa
• 1906552eee7c68c30198e49ce079181206034c5e
• 84ac066387ddafc8b9cf727cf257257b9534fb7d

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Encourage users to regularly update their systems and install security patches to mitigate vulnerabilities that threat actors may exploit.
• Advocate for the implementation of multi-factor authentication wherever possible to add an extra layer of security, especially for sensitive applications like messaging and financial apps.
• Organizations should conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in their systems and networks.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization to secure its websites and software. Test tools are used to detect any vulnerabilities in the deployed codes.