June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple NETGEAR Products Vulnerabilities
May 29, 2024
Bitter APT Group – Active IOCs
May 29, 2024
Multiple NETGEAR Products Vulnerabilities
May 29, 2024
Bitter APT Group – Active IOCs
May 29, 2024
Severity
High
Analysis Summary
The FakePenny ransomware attacks, which have resulted in demands for millions of dollars in ransom, have been attributed by Microsoft to a North Korean threat group dubbed Moonstone Sleet.
Although the tactics, techniques, and procedures (TTPs) of this threat group were mainly similar to those of previous North Korean attackers, it has also gradually incorporated new attack strategies and developed its unique infrastructure and tooling. Moonstone Sleet, formerly known as Storm-17, has been seen targeting financial and cyber espionage targets with trojanized software (like PuTTY), malicious games and npm packages, custom malware loaders, and phony software development companies (like StarGlow Ventures, C.C. Waterfall) that post on freelancer networks, LinkedIn, Telegram, and email to communicate with potential victims.
The actor showed significant similarities to Diamond Sleet when Microsoft first discovered Moonstone Sleet activity. For example, the actor frequently reused code from Comebacker, a known Diamond Sleet malware, and used well-established Diamond Sleet techniques to penetrate organizations, like distributing trojanized software via social media. But Moonstone Sleet swiftly switched to attacks and custom infrastructure of its own. Microsoft has since seen Moonstone Sleet and Diamond Sleet operating simultaneously, with Diamond Sleet continuing to employ a large portion of its well-established, recognized tradecraft.
Two months after breaking into the victim's network, the threat actors were first observed in April releasing a fresh version of their own proprietary FakePenny ransomware variant. But in contrast to earlier ransomware attacks orchestrated by North Korean state actors, who demanded $100,000 from its victims, the Moonstone Sleet perpetrators demanded $6.6 million in Bitcoin.
According to Microsoft's analysis of this attack, Moonstone Sleet used financial gain as their main incentive to spread the ransomware. Given the group's prior engagement in cyber espionage operations, it is likely that its objectives are intelligence gathering and income generation. The group has targeted a variety of industry verticals since it was first seen, including people and businesses in the education, defense industrial base, software and information technology, and software industries.
Moonstone Sleet is not the only North Korean hacking group associated with ransomware attacks in recent years. In May 2017, the Lazarus Group was officially blamed by the governments of the United States and the United Kingdom for the WannaCry ransomware outbreak, which destroyed hundreds of thousands of computers worldwide. Years later, in July 2022, the FBI and Microsoft also connected North Korean hackers to the ransomware operation known as Holy Ghost and the ransomware assaults known as Maui against healthcare organizations.
In addition to being effective, Moonstone Sleet's wide range of strategies is noteworthy for having developed over many years of activity from those of various other North Korean threat actors to achieve North Korean cyber objectives. Furthermore, similar to another North Korean threat actor, Onyx Sleet, Moonstone Sleet may be broadening its range of capabilities to facilitate disruptive operations given that it has included ransomware into its playbook.
Impact
- Financial Loss
- Cyber Espionage
- Sensitive Data Theft
- File Encryption
Indicators of Compromise
Domain Name
- bestonlinefilmstudio.org
- blockchain-newtech.com
- ccwaterfall.com
- chaingrown.com
- defitankzone.com
- detankwar.com
- freenet-zhilly.org
- matrixane.com
- pointdnt.com
- starglowventures.com
- mingeloem.com
MD5
- 1d5ad4a60ec9be32c11ad99f234bfe8f
- 14af3f039f2398b454bbb64c7fdf4a22
- 66c45a736e165cf78cee7970bbc74ead
- 330fff5b3c54a03fd59a64981e96814d
- b8e1fe2955282a58fa3042b25f2ce19d
- 608fb305734364e63513ef36da787f2b
- c0bb453d00bf3d8acde09b691ca9b5f2
- 6c76f795c4b3ff2e478766dee7c738d6
- 08f8353101fb2f11a1036a947f8fce83
- 39898007146d7b436d013924db58ebc6
SHA-256
- f59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc58
- cb97ec024c04150ad419d1af2d1eb66b5c48ab5f345409d9d791db574981a3fb
- 39d7407e76080ec5d838c8ebca5182f3ac4a5f416ff7bda9cbc4efffd78b4ff5
- 70c5b64589277ace59db86d19d846a9236214b48aacabbaf880f2b6355ab5260
- cafaa7bc3277711509dc0800ed53b82f645e86c195e85fbf34430bbc75c39c24
- 9863173e0a45318f776e36b1a8529380362af8f3e73a2b4875e30d31ad7bd3c1
- f66122a3e1eaa7dcb7c13838037573dace4e5a1c474a23006417274c0c8608be
- 56554117d96d12bd3504ebef2a8f28e790dd1fe583c33ad58ccbf614313ead8c
- ecce739b556f26de07adbfc660a958ba2dca432f70a8c4dd01466141a6551146
- 09d152aa2b6261e3b0a1d1c19fa8032f215932186829cfcca954cc5e84a6cc38
SHA1
- be6909ba6e0b4d228da5b9daccc83f7082c06cf2
- f1f75da17e8c125b87fdafd76386f90213362bcf
- b0479c5d4de5541a60923b5627ed62e6391efe2f
- 550bdf367fba63a81276465a65dcb64280240dda
- dd91678f1d023607430d53b5ff5f1d6533a98469
- bda08d55f14827abf21abb79384039660f2fa198
- 2ebfcbf2deb09e9af046ae765797a654b49645c2
- e99d44e93069001129c8f88f7a5259fb21bb6b68
- 853d256bafd39426fad9bf5f7fad2971b7978c06
- dd8b8c4de92d9b6d1d04f0e995f4cc7e746d0a64
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
- Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
- Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
- Never trust or open links and attachments received from unknown sources/senders.
