Researchers have uncovered a new remote access trojan (RAT) family, dubbed ‘MoonPeak,’ that is being actively developed by a North Korean threat actor cluster known as ‘UAT-5394.’ The researchers’ analysis of the threat actor’s infrastructure reveals a complex web of command-and-control (C2) servers, staging servers, and test machines used to develop and deploy the malware.
Mapping North Korean APT UAT-5394’s Infrastructure
Talos’ investigation has led to the discovery of numerous servers owned, operated and administered by UAT-5394. This infrastructure includes C2 servers, payload-hosting sites, and virtual machines used to test their MoonPeak implants before distribution.
The researchers observed a distinct shift in the actor’s tactics in June 2024, as they moved from hosting malicious payloads on legitimate cloud storage providers to systems and servers they now owned and controlled. This was likely done to preserve their infections from potential shutdowns by cloud service providers.
The campaign involved the use of multiple C2 servers, payload-hosting sites, and test virtual machines to test MoonPeak implants before distributing them to potential targets. The threat actors have also been observed accessing their infrastructure from VPN nodes, highlighting their ability to adapt and evolve.
Another key server in UAT-5394’s infrastructure was 167.88.173.173, a high-flux server that had been observed changing operating systems and web servers multiple times in a span of less than two months. While this server was initially linked to the Gamaredon APT, a threat group allegedly associated with the Russian FSB, the researcher’s analysis found a window of time in late June and early July 2024 where the researchers assess with high confidence that the IP was under UAT-5394’s control.
During this period, the server was running Windows Server 2022 and was used by UAT-5394 to compile MoonPeak v2 malware samples pointing to its port 9966 as the C2 server. The researchers also observed two other IP addresses, 45.87.153.79 and 45.95.11.52, accessing this server over ports 9936 and 9966 – the same C2 ports used by MoonPeak malware.
The investigation also revealed that 167.88.173.173 resolved to and hosted an SSL certificate for the malicious domain pumaria.store, which was later found to resolve to 104.194.152.251 on July 11, 2024. On the same day, one of UAT-5394’s test machines, 80.71.157.55, communicated with 104.194.152.251 over port 443, indicating that this system was being used to test MoonPeak infections.
Further analysis of 104.194.152.251 showed that it resolved to other domains attributed to UAT-5394, such as yoiroyse.store, and was used to host MoonPeak malware and set up a new C2 server at 91.194.161.109.
Testing And Evolving MoonPeak
The researchers observed the use of several virtual machines on the servers 45.87.153.79, 45.95.11.52, and 80.71.157.55, used by UAT-5394 to test MoonPeak infections over various C2 ports since at least July 2, 2024.
The researchers noted that the test timings over these ports matched the compilation times of the various MoonPeak samples they had noted, further observing an evolution in the malware and its corresponding C2 components, with each new increment differing from the previous one in terms of evasion techniques and infrastructure changes.
This constant evolution suggests that the threat actors are actively developing and refining MoonPeak to evade detection. The threat actors have been observed deploying their implant variants several times on their test machines, demonstrating capability as well as the resources for adaptability.
Potential indicators of compromise (IOCs) from MoonPeak’s campaigns and attack operations were shared over GitHub.
