A new remote access trojan (RAT) named MoonPeak has been uncovered in a cyber campaign linked to a North Korean state-sponsored hacking group. Cisco Talos identified this malicious activity and attributed it to UAT-5394, a threat cluster with significant tactical overlaps with the known nation-state actor Kimsuky.

MoonPeak is a variant of the open-source Xeno RAT malware, which has been actively developed by the threat actor. This malware was previously used in phishing attacks that relied on actor-controlled cloud services like Dropbox, Google Drive, and Microsoft OneDrive to retrieve payloads. Some key capabilities of Xeno RAT include the ability to load additional plugins, manage processes, and communicate with a command-and-control (C2) server.

Cisco Talos researchers, Asheer Malhotra, Guilherme Venere, and Vitor Ventura, noted that the similarities between UAT-5394 and Kimsuky suggest that UAT-5394 might either be a subgroup of Kimsuky or another North Korean hacking crew that shares tools with Kimsuky. 

A critical aspect of this campaign is the creation of new infrastructure, including C2 servers, payload-hosting sites, and test virtual machines, all designed to facilitate the deployment of new MoonPeak iterations. “The C2 server hosts malicious artifacts for download, which are then used to access and establish new infrastructure supporting this campaign,” the researchers explained.

In several cases, the threat actor accessed existing servers to update payloads and retrieve logs and data collected from MoonPeak infections. This shift from using legitimate cloud storage to setting up their own servers marks a significant pivot in their strategy. However, the specific targets of the campaign remain unknown. 

The continual evolution of MoonPeak aligns with the threat actors’ strategy of constantly establishing new infrastructure. Each new version of the malware introduces enhanced obfuscation techniques and modifications to the communication mechanism to prevent unauthorized access. The researchers emphasized that specific variants of MoonPeak are tailored to work only with corresponding variants of the C2 server.

The rapid adoption and development of new malware, as seen with MoonPeak, underscores UAT-5394’s intent to rapidly expand this campaign. The group’s quick setup of additional drop points and C2 servers highlights their aggressive approach to proliferating the campaign.