A newly discovered variant of the XenoRAT malware, dubbed MoonPeak, is being distributed by a threat actor believed to have ties to North Korea’s Kimsuky group. This sophisticated malware is equipped with a complex infrastructure of command-and-control servers, staging systems, and test machines, making it harder to detect and identify.
MoonPeak, as identified by researchers at Cisco Talos, is constantly evolving and undergoing active development. It retains most of the functionalities of the original XenoRAT but exhibits consistent changes in each iteration, indicating independent modifications by the threat actors.
MoonPeak: A XenoRAT Variant
According to Cisco Talos researchers, the MoonPeak malware showcases various modifications to the XenoRAT code while keeping its core functions intact. These changes include altering the client namespace and implementing obfuscation techniques to make analysis more challenging.
The threat actor behind MoonPeak, tracked as UAT-5394, has been observed deploying the malware in attacks reminiscent of North Korean espionage tactics. The infrastructure and tactics used by UAT-5394 bear similarities to the Kimsuky group, known for targeting organizations involved in nuclear weapons research and policy.
Constant MoonPeak Modifications
In addition to code changes, the threat actor has been adjusting their infrastructure continuously. Recent shifts include moving away from public cloud services to privately controlled systems for hosting and testing MoonPeak, as well as modifying C2 components to enhance stealth and evade detection.
Analysis of MoonPeak samples by Cisco Talos reveals a deliberate effort by the threat actors to introduce subtle variations in each iteration, making it harder to attribute attacks and ensuring compatibility with specific C2 servers.