North Korea building cash reserves using ransomware, video games

A brand-new cybercrime group that Microsoft ties to North Korea is tricking targets using fake job opportunities to launch malware and ransomware, all for financial gain.

Microsoft tracks this group as "Moonstone Sleet" and says it has been active since at least August 2023 – the earliest date its activity was spotted – and has been deploying trojanized versions of PuTTY and SumatraPDF via LinkedIn, Telegram, and various freelancing platforms.

These apps are designed to load additional payloads and provide access to launch follow-on attacks against specific targets.

Moonstone Sleet has also been linked to the deployment of a new ransomware strain called FakePenny, spotted as recently as April 2024. 

Kim Jong-Un's regime is no stranger to developing ransomware to achieve its goals in cyberspace, which is generally understood to be largely focused on generating finances for military endeavors. However, Microsoft noted this is the first time this specific group has developed custom ransomware.

That April attack targeted an unnamed defense technology company, Microsoft says, after Moonstone Sleet originally compromised the organization in December 2023 to steal credentials and intellectual property. Attackers laid in wait for months before using FakePenny to encrypt files and demand a ransom.

Unlike NORK ransomware strains of days gone by, the monetary demands have now shot up. WannaCry was the work of Kim, and the strain shredded through organizations back in 2013, but its ransom demands were just a few hundred dollars a pop.

Likewise, another of North Korea's strains, the more recent H0lyGh0st of 2022, demanded loftier sums between the five and low six-figure range. Now though, FakePenny demands sums that are more aligned to the commercial ransomware market at $6.6 million, Microsoft says.

It's the latest move from North Korea to extract funds from the economies of the US and its allies. It has been well-publicized in recent years that the hermit nation is deploying various IT experts, mainly across Asia – especially China, to apply for freelance or remote tech roles based in North America and Europe.

The US was able to nab a few of the culprits this month, including a US national accused of conspiring to help these overseas workers complete their job roles without arousing suspicion.

Christina Marie Chapman of Litchfield Park, Arizona, allegedly ran a laptop farm containing arrays of laptops North Korean workers would remote into and carry out their US jobs from an IP that wouldn't flag any concerns from security solutions. The operation involved victims from "iconic" American car manufacturers to major broadcasters.

Moonstone Sleet has also been spotted using similar tactics, applying for software development positions at "multiple legitimate companies", which Microsoft reckons could either be to generate revenue or gain initial access into organizations of interest.

On the other side of the job market, the group also has experience in setting up fake companies to build relationships with organizations of interest, especially those in the software development and higher education spaces.

These companies would often claim to provide services such as software development and other IT services including AI and blockchain. The goal is believed to be the same, though: to exploit targets for financial gain or to get initial access as a foothold for follow-on attacks.

"Moonstone Sleet's diverse set of tactics is notable not only because of their effectiveness but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives," Microsoft said.

"For example, North Korea has for many years maintained a cadre of remote IT workers to generate revenue in support of the country's objectives. Moonstone Sleet's pivot to conduct IT work within its campaigns indicates it may not only be helping with this strategic initiative, but possibly also expanding the use of remote IT workers beyond just financial gain. 

• Congress votes unanimously to ban brokers selling American data to enemies
• Ransomware payment ban: Wrong idea at the wrong time
• Chinese media teases imminent exposé of seismic US spying scheme
• China is likely stockpiling and deploying vulnerabilities, says Microsoft
• Stolen Microsoft key may have opened up a lot more than US govt email inboxes

"Additionally, Moonstone Sleet's addition of ransomware to its playbook, like another North Korean threat actor, Onyx Sleet, may suggest it is expanding its set of capabilities to enable disruptive operations."

Microsoft also notes the overlapping nature of various aspects of its tradecraft. One of Moonstone Sleet's fake companies, for example, sent emails to target organizations inviting them to download a malicious video game the group developed themed around tanks.

In this separate campaign, Kim's attackers would message targets about the game while claiming to seek investment or development support. It coupled these efforts with solid marketing which included a website and various social media accounts, which have since been suspended. ®