North Korea’s Cyber Threat Evolves With MoonPeak Malware - 1

Image by DC Studio, from Freepik

North Korea’s Cyber Threat Evolves With MoonPeak Malware

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Cisco Talos has identified a North Korean hacking group, “UAT-5394,” using various servers to test and control its malware. They’re working with a new version of malware called “MoonPeak,” which is based on an earlier malware called XenoRAT.

In their report, published yesterday, the researchers state that MoonPeak is based on the publicly available source code for XenoRAT, which was released on GitHub around October 2023.

Although MoonPeak retains many of the original XenoRAT’s functionalities, Cisco Talos’ analysis has identified consistent changes across its variants, indicating that the threat actors are independently modifying and evolving the code beyond the open-source version.

While MoonPeak shares some similarities with malware used by a known North Korean group called “Kimsuky,” Cisco Talos states they don’t have enough evidence to confirm a direct link between them.

The researchers suggest that new malware raises two main possibilities. First, UAT-5394 might be Kimsuky or a subgroup of Kimsuky that is replacing their old malware with MoonPeak.

Alternatively, UAT-5394 could be a different North Korean group that is using similar techniques and infrastructure to Kimsuky.

For now, Cisco Talos has decided to treat UAT-5394 as a separate group until they have more evidence to connect them to Kimsuky or confirm them as a unique group within North Korea’s hacking operations.

Cisco Talos’ researchers also revealed that the group is using special servers to test and update MoonPeak. Cisco Talos suggests that the group uses these servers to download and control the malware and often accesses them through VPNs to manage and update their malware.

Furthermore, Cybersecurity News reports that the XenoRAT malware has undergone several modifications by its creators, including changes to the client namespace, communication protocol, and obfuscation techniques.

These updates are designed to enhance evasion tactics and prevent unwanted clients from interacting with the command and control (C2) infrastructure.

According to The Cyber Express , the researchers noted a significant change in the actor’s tactics in June 2024. They shifted from using legitimate cloud storage providers to hosting malicious payloads on systems and servers that they now own and control.

TCE suggests that this move was likely aimed at protecting their operations from potential shutdowns by cloud service providers.

Finally, Cybersecurity News points out that the rapid pace of these changes reflects the group’s efforts to expand its campaign quickly while setting up more drop points and C2 servers.

Telegram, WhatsApp Outages In Russia Spark Speculation - 2

Image by Yuri Samoilov, from Wikimedia Commons

Telegram, WhatsApp Outages In Russia Spark Speculation

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Brief outages of Telegram and WhatsApp were reported in Russia yesterday, with the country’s media regulator, Roskomnadzor, attributing the disruption to a distributed denial-of-service (DDoS) cyberattack targeting Russian telecom operators.

A DDoS attack is designed to overwhelm a website with excessive internet traffic, forcing it offline. According to The Moscow Times (TMT), Roskomnadzor claimed that the attack caused “large-scale disruption” but was repelled within an hour, allowing normal service to resume shortly after.

Reuters confirmed that the cyberattack was successfully repelled and that the messaging networks were restored to full functionality. They also reported that other online platforms, such as Wikipedia, Skype, and Discord, had also experienced disruptions.

However, as reported by TMT, some internet experts suspect the government’s involvement. They suggest that the authorities may have attempted to block the messaging services themselves amid increasing efforts to tighten internet censorship.

TMT reports that Stanislav Shakirov, technical director at Roskomsvoboda, suggested that Roskomnadzor’s attempt to block Telegram may have caused disruptions to other internet services, similar to a 2018 incident.

TMT also adds that Filipp Kulin, who monitors Roskomnadzor’s blocked websites, dismissed the DDoS attack claim as “nonsense,” arguing that a true DDoS would impact all operators, not just specific services.

Reuters notes that this incident follows recent reports from Russian internet monitoring services of a mass outage on YouTube, another platform under increasing scrutiny by Russian authorities. Additionally, Signal users in Russia reported glitches with the secure messenger app earlier this month.

The disruption to Telegram and WhatsApp, which are widely used in Russia, further highlights the ongoing tension between the Russian government and tech companies. In 2022, Moscow labeled Meta, WhatsApp’s parent company, an “extremist” organization, leading to the ban of Facebook and Instagram within the country.

While these services can still be accessed using virtual private networks (VPNs), the recent outages suggest that the Russian authorities may be seeking to tighten their control over online communication.