MoonPeak malware from North Korean actors unveils new details on attacker infrastructure

    Monday, August 26, 2024 In: Threat Research Print

    Date: 08/26/2024

    Severity: High

    Summary

    Cisco Talos has identified a new remote access trojan, “MoonPeak,” which is based on XenoRAT and developed by a North Korean group known as “UAT-5394.” Our analysis shows connections to UAT-5394’s infrastructure and reveals new tactics and techniques. A recent AhnLab report highlights a spear-phishing campaign using an early XenoRAT variant, which evolved into MoonPeak. While there are some overlaps with the North Korean group “Kimsuky,” we lack strong evidence linking this campaign to the APT.

    Indicators of Compromise (IOC) List

    Domains\Urls

    nsonlines.store

    yoiroyse.store

    pumaria.store

    nmailhostserver.store

    IP Address

    95.164.86.148

    27.255.81.118

    210.92.18.169

    104.194.152.251

    91.194.161.109

    45.87.153.79

    27.255.80.162

    84.247.179.77

    212.224.107.244

    167.88.173.173

    80.71.157.55

    Hash

    f4aa4c6942a87087530494cba770a1dcbc263514d874f12ba93a64b1edbae21c

3e39fc595db9db1706828b0791161440dc1571eaa07b523df9b721ad65e2369b

2b35ef3080dcc13e2d907f681443f3fc3eda832ae66b0458ca5c97050f849306

f928a0887cf3319a74c90c0bdf63b5f79710e9f9e2f769038ec9969fcc8ee329

72a25d959d12e3efe9604aee4b1e7e4db1ef590848d207007419838ddbad5e3f

97ba8d30cf8393c39f61f7e63266914ecafd07bd49911370afb866399446f37d

facf3b40a2b99cc15eee7b7aee3b36a57f0951cda45931fcde311c0cc21cdc71

1ad43ddfce147c1ec71b37011d522c11999a974811fead11fee6761ceb920b10

6a3839788c0dafe591718a3fb6316d12ccd8e82dbcb41ce40e66b743f2dd344d

6bf8a19deb443bde013678f3ff83ab9db4ddc47838cd9d00935888e00b30cee6

b8233fe9e903ca08b9b1836fe6197e7d3e98e36b13815d8662de09832367a98a

458641936e2b41c425161a9b892d2aa08d1de2bc0db446f214b5f87a6a506432

8a4fbcdec5c08e6324e3142f8b8c41da5b8e714b9398c425c47189f17a51d07b

a80a35649f638049244a06dd4fb6eca4de0757ef566bfbe1affe1c8bf1d96b04

148c69a7a1e06dc06e52db5c3f5895de6adc3d79498bc3ccc2cbd8fdf28b2070

15eee641978ac318dabc397d9c39fb4cb8e1a854883d8c2401f6f04845a79b4b

0b8897103135d92b89a83093f00d1da845a1eae63da7b57f638bab48a779808e

4599a9421e83fb0e2c005e5d9ac171305192beabe965f3385accaf2647be3e8e

44e492d5b9c48c1df7ef5e0fe9a732f271234219d8377cf909a431a386759555

58fdc1b6ce4744d6331f8e2efc4652d754e803cae4cc16101fc78438184995e6

4108c5096a62c0a6664eed781c39bb042eb0adf166fcc5d64d7c89139d525d4f

27202534cc03a398308475146f6710b790aa31361931d4fe1b495c31c3ed54f7

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls

    userdomainname like "nsonlines.store" or url like "nsonlines.store" or userdomainname like "yoiroyse.store" or url like "yoiroyse.store" or userdomainname like "pumaria.store" or url like "pumaria.store" or userdomainname like "nmailhostserver.store" or url like "nmailhostserver.store"

    IP Address

    dstipaddress IN ("95.164.86.148","27.255.81.118","210.92.18.169","104.194.152.251","91.194.161.109","45.87.153.79","27.255.80.162","84.247.179.77","212.224.107.244","167.88.173.173","80.71.157.55") or ipaddress IN ("95.164.86.148","27.255.81.118","210.92.18.169","104.194.152.251","91.194.161.109","45.87.153.79","27.255.80.162","84.247.179.77","212.224.107.244","167.88.173.173","80.71.157.55") or publicipaddress IN ("95.164.86.148","27.255.81.118","210.92.18.169","104.194.152.251","91.194.161.109","45.87.153.79","27.255.80.162","84.247.179.77","212.224.107.244","167.88.173.173","80.71.157.55") or srcipaddress IN ("95.164.86.148","27.255.81.118","210.92.18.169","104.194.152.251","91.194.161.109","45.87.153.79","27.255.80.162","84.247.179.77","212.224.107.244","167.88.173.173","80.71.157.55")

    Hash

    sha256hash IN ("f4aa4c6942a87087530494cba770a1dcbc263514d874f12ba93a64b1edbae21c","3e39fc595db9db1706828b0791161440dc1571eaa07b523df9b721ad65e2369b","2b35ef3080dcc13e2d907f681443f3fc3eda832ae66b0458ca5c97050f849306","f928a0887cf3319a74c90c0bdf63b5f79710e9f9e2f769038ec9969fcc8ee329","72a25d959d12e3efe9604aee4b1e7e4db1ef590848d207007419838ddbad5e3f","97ba8d30cf8393c39f61f7e63266914ecafd07bd49911370afb866399446f37d","facf3b40a2b99cc15eee7b7aee3b36a57f0951cda45931fcde311c0cc21cdc71","1ad43ddfce147c1ec71b37011d522c11999a974811fead11fee6761ceb920b10","6a3839788c0dafe591718a3fb6316d12ccd8e82dbcb41ce40e66b743f2dd344d","6bf8a19deb443bde013678f3ff83ab9db4ddc47838cd9d00935888e00b30cee6","b8233fe9e903ca08b9b1836fe6197e7d3e98e36b13815d8662de09832367a98a","458641936e2b41c425161a9b892d2aa08d1de2bc0db446f214b5f87a6a506432","8a4fbcdec5c08e6324e3142f8b8c41da5b8e714b9398c425c47189f17a51d07b","a80a35649f638049244a06dd4fb6eca4de0757ef566bfbe1affe1c8bf1d96b04","148c69a7a1e06dc06e52db5c3f5895de6adc3d79498bc3ccc2cbd8fdf28b2070","15eee641978ac318dabc397d9c39fb4cb8e1a854883d8c2401f6f04845a79b4b","0b8897103135d92b89a83093f00d1da845a1eae63da7b57f638bab48a779808e","4599a9421e83fb0e2c005e5d9ac171305192beabe965f3385accaf2647be3e8e","44e492d5b9c48c1df7ef5e0fe9a732f271234219d8377cf909a431a386759555","58fdc1b6ce4744d6331f8e2efc4652d754e803cae4cc16101fc78438184995e6","4108c5096a62c0a6664eed781c39bb042eb0adf166fcc5d64d7c89139d525d4f","27202534cc03a398308475146f6710b790aa31361931d4fe1b495c31c3ed54f7")

    Reference:

    https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/ 


    Tags

    MalwareRATPhishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.