North Korea building cash reserves using ransomware, video games

Microsoft says Kim’s hermit nation is pivoting to latest tools as it evolves in cyberspace

A brand-new cybercrime group that Microsoft ties to North Korea is tricking targets using fake job opportunities to launch malware and ransomware, all for financial gain.

Microsoft tracks this group as "Moonstone Sleet" and says it has been active since at least August 2023 – the earliest date its activity was spotted – and has been deploying trojanized versions of PuTTY and SumatraPDF via LinkedIn, Telegram, and various freelancing platforms.

These apps are designed to load additional payloads and provide access to launch follow-on attacks against specific targets.

Moonstone Sleet has also been linked to the deployment of a new ransomware strain called FakePenny, spotted as recently as April 2024. 

Kim Jong-Un's regime is no stranger to developing ransomware to achieve its goals in cyberspace, which is generally understood to be largely focused on generating finances for military endeavors. However, Microsoft noted this is the first time this specific group has developed custom ransomware.

That April attack targeted an unnamed defense technology company, Microsoft says, after Moonstone Sleet originally compromised the organization in December 2023 to steal credentials and intellectual property. Attackers laid in wait for months before using FakePenny to encrypt files and demand a ransom.

Unlike NORK ransomware strains of days gone by, the monetary demands have now shot up. WannaCry was the work of Kim, and the strain shredded through organizations back in 2013, but its ransom demands were just a few hundred dollars a pop.

Likewise, another of North Korea's strains, the more recent H0lyGh0st of 2022, demanded loftier sums between the five and low six-figure range. Now though, FakePenny demands sums that are more aligned to the commercial ransomware market at $6.6 million, Microsoft says.

It's the latest move from North Korea to extract funds from the economies of the US and its allies. It has been well-publicized in recent years that the hermit nation is deploying various IT experts, mainly across Asia – especially China, to apply for freelance or remote tech roles based in North America and Europe.

The US was able to nab a few of the culprits this month, including a US national accused of conspiring to help these overseas workers complete their job roles without arousing suspicion.

Christina Marie Chapman of Litchfield Park, Arizona, allegedly ran a laptop farm containing arrays of laptops North Korean workers would remote into and carry out their US jobs from an IP that wouldn't flag any concerns from security solutions. The operation involved victims from "iconic" American car manufacturers to major broadcasters.

Moonstone Sleet has also been spotted using similar tactics, applying for software development positions at "multiple legitimate companies", which Microsoft reckons could either be to generate revenue or gain initial access into organizations of interest.

On the other side of the job market, the group also has experience in setting up fake companies to build relationships with organizations of interest, especially those in the software development and higher education spaces.

These companies would often claim to provide services such as software development and other IT services including AI and blockchain. The goal is believed to be the same, though: to exploit targets for financial gain or to get initial access as a foothold for follow-on attacks.

"Moonstone Sleet's diverse set of tactics is notable not only because of their effectiveness but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives," Microsoft said.

"For example, North Korea has for many years maintained a cadre of remote IT workers to generate revenue in support of the country's objectives. Moonstone Sleet's pivot to conduct IT work within its campaigns indicates it may not only be helping with this strategic initiative, but possibly also expanding the use of remote IT workers beyond just financial gain. 

"Additionally, Moonstone Sleet's addition of ransomware to its playbook, like another North Korean threat actor, Onyx Sleet, may suggest it is expanding its set of capabilities to enable disruptive operations."

Microsoft also notes the overlapping nature of various aspects of its tradecraft. One of Moonstone Sleet's fake companies, for example, sent emails to target organizations inviting them to download a malicious video game the group developed themed around tanks.

In this separate campaign, Kim's attackers would message targets about the game while claiming to seek investment or development support. It coupled these efforts with solid marketing which included a website and various social media accounts, which have since been suspended. ®

Send us news

Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown

Private sector helped out with week-long operation – but didn't touch China

Evolve Bank & Trust confirms LockBit stole 7.6 million people's data

Making cyberattack among the largest ever recorded in finance industry

Cancer patient forced to make terrible decision after Qilin attack on London hospitals

Skin-sparing mastectomy and breast reconstruction scrapped as result of ransomware at supplier

Affirm fears customer info pilfered during ransomware raid at Evolve Bank

Number of partners acknowledging data theft continues to rise

IcedID henchman gets nine years in clanger for abusing malware to drain bank accounts

The slippery Ukrainian national must also pay a hefty $74 million on top of the jail time

Snowflake lets admins make MFA mandatory across all user accounts

Company announces intent following Ticketmaster, Santander break-ins

Malware that is 'not ransomware' wormed its way through Fujitsu Japan's systems

Company says data exfiltration was extremely difficult to detect

Avast secretly gave DoNex ransomware decryptors to victims before crims vanished

Good riddance to another pesky tribe of miscreants

Latest Ghostscript vulnerability haunts experts as the next big breach enabler

There's also chatter about whether medium severity scare is actually code red nightmare

Europol says mobile roaming tech is making its job too hard

Privacy measures apparently helping criminals evade capture

Patelco banking services AWOL amid ransomware ruckus

Late fees? Don't worry, the credit union has you covered

No rest for the wiry as Cisco Nexus switches flip out over latest zero-day

Command injection bug being abused by suspected Chinese spies – patch up