A newly discovered remote access Trojan (RAT) family, MoonPeak, has been linked to a North Korean-affiliated threat group known as UAT-5394.
This sophisticated malware, based on the open-source XenoRAT, is undergoing active development, showcasing significant enhancements aimed at evading detection and improving functionality, according to recent research from Cisco Talos.
Connection to Kimsuky
UAT-5394, an emerging player in the North Korean cyber threat landscape, shares certain tactics, techniques and procedures (TTPs) with the more established North Korean state-sponsored group Kimsuky.
Although there is no conclusive technical evidence to link UAT-5394 directly to Kimsuky, the overlap in operational patterns raises the possibility that UAT-5394 could either be a subgroup within Kimsuky or another entity borrowing from Kimsuky's playbook.
Evolution of MoonPeak Malware
Regardless of the connection, the group was initially observed utilizing cloud storage providers for hosting malicious payloads but has since moved to attacker-controlled servers, likely to mitigate risks associated with the shutdown of cloud locations by service providers.
The MoonPeak malware has also evolved through multiple versions, each iteration introducing new layers of obfuscation and unique communication protocols.
These modifications, which include changes to the malware’s namespace and compression techniques, are designed to avoid analysis and prevent unauthorized access to the malware’s command-and-control (C2) servers.
Complex C2 Infrastructure
The research also revealed that UAT-5394 has established a complex network of C2 servers and testing infrastructure, indicating a high level of organization and planning.
“An analysis of MoonPeak samples reveals an evolution in the malware and its corresponding C2 components that warranted the threat actors deploy their implant variants several times on their test machines. The constant evolution of MoonPeak runs hand-in-hand with new infrastructure set up by the threat actors,” Cisco Talos explained.
The security firm also mentioned that the rapid expansion of infrastructure indicates the group’s intent to scale its operations, posing a growing threat to global cybersecurity. The potential connection to Kimsuky amplifies the concern surrounding this emerging threat.