web analytics

North Korean Hackers Pivot Away From Public Cloud – Source: www.databreachtoday.com

north-korean-hackers-pivot-away-from-public-cloud-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime

Kimsuky, or a Related Group, Deploys XenoRAT Variant

Jayant Chakravarti (@JayJay_Tech) •
August 22, 2024    

North Korean Hackers Pivot Away From Public Cloud
A skyline view of Pyongyang in an undated file photo (Image: Shutterstock)

A North Korean hacking team hastily pivoted from using publicly available cloud computing storage to its own infrastructure after security researchers unmasked a malware campaign, said Cisco Talos.

See Also: Webinar | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

The cybersecurity firm said Wednesday it uncovered an elaborate infrastructure composed of multiple servers, test environments and websites that a threat group it tracks as UAT-5394 is using to test a remote access malware dubbed MoonPeak.

The group in June shifted from using cloud services including Google Drive, OneDrive and Dropbox to systems directly under its control. They likely did this after reading research published by South Korean cybersecurity firm AhnLab in May that traces deployment of XenoRAT malware to commercial cloud services.

The group likely moved its infrastructure “to preserve their infections from potential shutdown of cloud locations by the service providers,” Talos said. The threat actor also apparently infected one of its own command-and-control servers with the QuasarRAT remote Trojan. It’s hard to say why exactly, but Talos said it believes with low confidence the threat group deliberately placed QuasarRAT on its server as a “parallel means of maintaining access.”

The firm said UAT-5394 activity overlaps with the Pyongyang threat actor commonly tracked as Kimsuky (see: Kimsuky Uses Permissive DMARC Policies to Spoof Emails).

The group is either Kimsuky itself – or a subgroup – or another North Korean hacking cluster that borrows tactics, techniques and procedures and infrastructure patterns from Kimsuky.

UAT-5394 has been distributing a variant of XenoRAT that Talos dubs MoonPeak. “While MoonPeak contains most of the functionalities of the original XenoRAT, our analysis observed consistent changes throughout the variants that shows the threat actors are modifying and evolving the code independently from the open-source version,” Talos said.

XenoRAT is an open-source remote access Trojan that enables its operators to remotely control Windows devices and perform malicious activities. The malware employs obfuscation techniques to evade detection, uses SOCKS5 proxies to communicate with the command-and-control server and can run within legitimate processes. Various threat groups use the malware code for malicious activities.

Talos researchers also uncovered another server used by UAT-5394 that hosted the latest version of MoonPeak, built as recently as July 16. Each modified variant of MoonPeak has shown greater obfuscation ability. North Korean hackers are also modifying each version of MoonPeak so that each variant only works with specific parts of its command-and-control infrastructure.

Original Post url: https://www.databreachtoday.com/north-korean-hackers-pivot-away-from-public-cloud-a-26122

Category & Tags: –

Views: 1

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
WILEY
Cybercrime Investigators Handbook by WILEY
Cybercrime Investigators Handbook by WILEY
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

LogRhythm
A Guide to User and Entity Behavior Analytics (UEBA)
A Guide to User and...
BONI YEAMIN
100 Offensive Linux Security Tools
100 Offensive Linux Security Tools
SentinelOne
90 DAYS A CISO’S JOURNEY TO IMPACT
90 DAYS A CISO’S JOURNEY...
ChiefExecutive
Ciberseguridad: Prioridad Estratégica para los CEO.
Ciberseguridad: Prioridad Estratégica para los...
CYBER SECURITY COALITION
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
INL/EXT
Cybersecurity for Distributed Wind
Cybersecurity for Distributed Wind
ARTIC WOLF
Cybersecurity Compliance Guide
Cybersecurity Compliance Guide
ESRAA MOHAMAD
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
DRAGOS
Impact of FrostyGoop ICS Malware on Connected OT Systems
Impact of FrostyGoop ICS Malware...
Victor Tong
Digital Operational Resilience Act – Control Mappings
Digital Operational Resilience Act –...
ARMIS
DORA Resiliency Guide Strengthening Cybersecurity and Operational Resilience in the Financial Sector
DORA Resiliency Guide Strengthening Cybersecurity...
IGNITE Technologies
Docker Penetration Testing
Docker Penetration Testing

More Latest Published Posts

Apress
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
CyberJA
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
SOSAFE
CybercrimeTrends 2024 The latest threats and security best practices
CybercrimeTrends 2024 The latest threats and security best practices
Routledge
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Cigref
Surviving a Massive cyber-attack by Cigref
Surviving a Massive cyber-attack by Cigref
Hidaia Mahmood Alassouli
Common Windows, Linux and Web Server SystemsHacking Techniques
Common Windows, Linux and Web Server SystemsHacking Techniques
Splunk
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SOC SIEM Use Cases
SOC SIEM Use Cases
safecode
Six Pillars of DevSecOps- Collaboration and Integration
Six Pillars of DevSecOps- Collaboration and Integration
SentineOne
WatchTower I ntelligence-Driven Threat Hunting
WatchTower I ntelligence-Driven Threat Hunting
CNIL
Security of Personal Data
Security of Personal Data
OPSWAP
Securing ICS SCADA updates OT Environments
Securing ICS SCADA updates OT Environments
Top 300 Azure Sentinel Used Cases KQL (Kusto Query Language) queries
Top 300 Azure Sentinel Used Cases KQL (Kusto Query Language) queries
WITH SECURE
Threat Landscape Update Report
Threat Landscape Update Report
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
Mihaela Curcă
The Role of Cyber Espionage inInternational Relations
The Role of Cyber Espionage inInternational Relations
GLOBAL NETWORK OF DIRECTOR INSTITUTES
THE FUTURE OF BOARD GOVERNANCE
THE FUTURE OF BOARD GOVERNANCE
Deloitte
The CISO’s Guide to Generative AI
The CISO’s Guide to Generative AI
Capgemini
PROMPT THE FUTURE
PROMPT THE FUTURE
Google
We’re All in this Together
We’re All in this Together
CyberSN
U.S. Cybersecurity Job Posting Data Report
U.S. Cybersecurity Job Posting Data Report
CISA | Cybersecurity and Infrastructure Security Agency
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
McKinsey & Company
Transforming risk efficiency and effectiveness
Transforming risk efficiency and effectiveness
Arnold Antoo
Zero Trust Security Model
Zero Trust Security Model
Richea Perry
Your Cybersecurity Toolkit
Your Cybersecurity Toolkit
IGNITE Technologies
Wireless Penetration Testing
Wireless Penetration Testing