MoonPeak malware from North Korean actors unveils new details on attacker infrastructure
Contents
- Cisco Talos is exposing infrastructure we assess with high confidence is being used by a state-sponsored North Korean nexus of threat actors we track as “UAT-5394," including for staging, command and control (C2) servers, and test machines the threat actors use to test their implants.
- Our analysis of the threat actor’s infrastructure indicates they pivoted across C2s and staging servers to set up new infrastructure and modify existing servers.
- This campaign consists of distributing a variant of the open-source XenoRAT malware we're calling “MoonPeak,” a remote access trojan (RAT) being actively developed by the threat actor.
- Analysis of XenoRAT against MoonPeak malware samples we’ve discovered so far illustrates the evolution of the malware family after it was forked by the threat actors.
Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean …
- Our analysis of the threat actor’s infrastructure indicates they pivoted across C2s and staging servers to set up new infrastructure and modify existing servers.
- This campaign consists of distributing a variant of the open-source XenoRAT malware we're calling “MoonPeak,” a remote access trojan (RAT) being actively developed by the threat actor.
- Analysis of XenoRAT against MoonPeak malware samples we’ve discovered so far illustrates the evolution of the malware family after it was forked by the threat actors.
Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean …
IoC
0b8897103135d92b89a83093f00d1da845a1eae63da7b57f638bab48a779808e
0ed643a30a82daacecfec946031143b962f693104bcb7087ec6bda09ade0f3cb
104.194.152.251
148c69a7a1e06dc06e52db5c3f5895de6adc3d79498bc3ccc2cbd8fdf28b2070
159.100.29.122
15eee641978ac318dabc397d9c39fb4cb8e1a854883d8c2401f6f04845a79b4b
167.88.173.173
1ad43ddfce147c1ec71b37011d522c11999a974811fead11fee6761ceb920b10
210.92.18.169
212.224.107.244
27.255.80.162
27.255.81.118
27202534cc03a398308475146f6710b790aa31361931d4fe1b495c31c3ed54f7
293b1a7e923be0f554ec44c87c0981c9b5cf0f20c3ad89d767f366afb0c1f24a
2b35ef3080dcc13e2d907f681443f3fc3eda832ae66b0458ca5c97050f849306
3e39fc595db9db1706828b0791161440dc1571eaa07b523df9b721ad65e2369b
4108c5096a62c0a6664eed781c39bb042eb0adf166fcc5d64d7c89139d525d4f
41d4f7734fbf14ebcdf63f51093718fd5a22ec38a297c0dc3d7704a3fb48b3f9
44e492d5b9c48c1df7ef5e0fe9a732f271234219d8377cf909a431a386759555
45.87.153.79
45.95.11.52
458641936e2b41c425161a9b892d2aa08d1de2bc0db446f214b5f87a6a506432
4599a9421e83fb0e2c005e5d9ac171305192beabe965f3385accaf2647be3e8e
58fdc1b6ce4744d6331f8e2efc4652d754e803cae4cc16101fc78438184995e6
6a3839788c0dafe591718a3fb6316d12ccd8e82dbcb41ce40e66b743f2dd344d
6bf8a19deb443bde013678f3ff83ab9db4ddc47838cd9d00935888e00b30cee6
72a25d959d12e3efe9604aee4b1e7e4db1ef590848d207007419838ddbad5e3f
80.71.157.55
84.247.179.77
8a4fbcdec5c08e6324e3142f8b8c41da5b8e714b9398c425c47189f17a51d07b
91.194.161.109
95.164.86.148
97ba8d30cf8393c39f61f7e63266914ecafd07bd49911370afb866399446f37d
a80a35649f638049244a06dd4fb6eca4de0757ef566bfbe1affe1c8bf1d96b04
b8233fe9e903ca08b9b1836fe6197e7d3e98e36b13815d8662de09832367a98a
f4aa4c6942a87087530494cba770a1dcbc263514d874f12ba93a64b1edbae21c
f928a0887cf3319a74c90c0bdf63b5f79710e9f9e2f769038ec9969fcc8ee329
facf3b40a2b99cc15eee7b7aee3b36a57f0951cda45931fcde311c0cc21cdc71
http://104.194.152.251
http://159.100.29.122
http://167.88.173.173
http://210.92.18.169
http://212.224.107.244
http://27.255.80.162
http://27.255.81.118
http://45.87.153.79
http://45.95.11.52
http://80.71.157.55
http://84.247.179.77
http://84.247.179.77:443
http://91.194.161.109
http://95.164.86.148
http://nmailhostserver.store
http://nsonlines.store
http://pumaria.store
http://yoiroyse.store
0ed643a30a82daacecfec946031143b962f693104bcb7087ec6bda09ade0f3cb
104.194.152.251
148c69a7a1e06dc06e52db5c3f5895de6adc3d79498bc3ccc2cbd8fdf28b2070
159.100.29.122
15eee641978ac318dabc397d9c39fb4cb8e1a854883d8c2401f6f04845a79b4b
167.88.173.173
1ad43ddfce147c1ec71b37011d522c11999a974811fead11fee6761ceb920b10
210.92.18.169
212.224.107.244
27.255.80.162
27.255.81.118
27202534cc03a398308475146f6710b790aa31361931d4fe1b495c31c3ed54f7
293b1a7e923be0f554ec44c87c0981c9b5cf0f20c3ad89d767f366afb0c1f24a
2b35ef3080dcc13e2d907f681443f3fc3eda832ae66b0458ca5c97050f849306
3e39fc595db9db1706828b0791161440dc1571eaa07b523df9b721ad65e2369b
4108c5096a62c0a6664eed781c39bb042eb0adf166fcc5d64d7c89139d525d4f
41d4f7734fbf14ebcdf63f51093718fd5a22ec38a297c0dc3d7704a3fb48b3f9
44e492d5b9c48c1df7ef5e0fe9a732f271234219d8377cf909a431a386759555
45.87.153.79
45.95.11.52
458641936e2b41c425161a9b892d2aa08d1de2bc0db446f214b5f87a6a506432
4599a9421e83fb0e2c005e5d9ac171305192beabe965f3385accaf2647be3e8e
58fdc1b6ce4744d6331f8e2efc4652d754e803cae4cc16101fc78438184995e6
6a3839788c0dafe591718a3fb6316d12ccd8e82dbcb41ce40e66b743f2dd344d
6bf8a19deb443bde013678f3ff83ab9db4ddc47838cd9d00935888e00b30cee6
72a25d959d12e3efe9604aee4b1e7e4db1ef590848d207007419838ddbad5e3f
80.71.157.55
84.247.179.77
8a4fbcdec5c08e6324e3142f8b8c41da5b8e714b9398c425c47189f17a51d07b
91.194.161.109
95.164.86.148
97ba8d30cf8393c39f61f7e63266914ecafd07bd49911370afb866399446f37d
a80a35649f638049244a06dd4fb6eca4de0757ef566bfbe1affe1c8bf1d96b04
b8233fe9e903ca08b9b1836fe6197e7d3e98e36b13815d8662de09832367a98a
f4aa4c6942a87087530494cba770a1dcbc263514d874f12ba93a64b1edbae21c
f928a0887cf3319a74c90c0bdf63b5f79710e9f9e2f769038ec9969fcc8ee329
facf3b40a2b99cc15eee7b7aee3b36a57f0951cda45931fcde311c0cc21cdc71
http://104.194.152.251
http://159.100.29.122
http://167.88.173.173
http://210.92.18.169
http://212.224.107.244
http://27.255.80.162
http://27.255.81.118
http://45.87.153.79
http://45.95.11.52
http://80.71.157.55
http://84.247.179.77
http://84.247.179.77:443
http://91.194.161.109
http://95.164.86.148
http://nmailhostserver.store
http://nsonlines.store
http://pumaria.store
http://yoiroyse.store