2024-08-21 MOONPEAK malware from North Korean UAT-5394 Samples
2024-09-02 • Contagio •
https://contagiodump.blogspot.com/2024/09/2024-08-21-moonpeak-malware-from-north.html
Cisco Talos identified MoonPeak as a new RAT family derived from the open-source XenoRAT codebase and attributed its development to North Korean state-sponsored group UAT-5394. The campaign shows UAT-5394 moving from cloud-service reliance toward actor-controlled infrastructure, including MoonPeak C2 at 95.164.86.148 on port 9999. Another server, 167.88.173.173, was used to compile MoonPeak v2 and communicate with C2s over ports 9966 and 8936, while 45.87.153.79 and 45.95.11.52 were used as test VMs to validate infections. MoonPeak changes the XenoRAT client namespace to "cmdline," limiting compatibility with stock XenoRAT servers and helping keep implants tied to the custom MoonPeak infrastructure.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 148c69a7a1e06dc06e52db5c3f5895d… | 2024-08-21 | 2024-09-02 |
| HASH | 3e39fc595db9db1706828b079116144… | 2024-08-21 | 2024-09-02 |
| HASH | 27202534cc03a398308475146f6710b… | 2024-08-21 | 2024-09-02 |
| HASH | 4108c5096a62c0a6664eed781c39bb0… | 2024-08-21 | 2024-09-02 |
| HASH | b8233fe9e903ca08b9b1836fe6197e7… | 2024-08-21 | 2024-09-02 |
| HASH | 0b8897103135d92b89a83093f00d1da… | 2024-08-21 | 2024-09-02 |
| HASH | f4aa4c6942a87087530494cba770a1d… | 2024-08-21 | 2024-09-02 |
| HASH | facf3b40a2b99cc15eee7b7aee3b36a… | 2024-08-21 | 2024-09-02 |
| HASH | 4599a9421e83fb0e2c005e5d9ac1713… | 2024-08-21 | 2024-09-02 |
| HASH | 2b35ef3080dcc13e2d907f681443f3f… | 2024-08-21 | 2024-09-02 |
| HASH | 44e492d5b9c48c1df7ef5e0fe9a732f… | 2024-08-21 | 2024-09-02 |
| HASH | 458641936e2b41c425161a9b892d2aa… | 2024-08-21 | 2024-09-02 |
| HASH | 15eee641978ac318dabc397d9c39fb4… | 2024-08-21 | 2024-09-02 |
| HASH | 58fdc1b6ce4744d6331f8e2efc4652d… | 2024-08-21 | 2024-09-02 |
| HASH | 97ba8d30cf8393c39f61f7e63266914… | 2024-08-21 | 2024-09-02 |
| HASH | a80a35649f638049244a06dd4fb6eca… | 2024-08-21 | 2024-09-02 |
| HASH | 6bf8a19deb443bde013678f3ff83ab9… | 2024-08-21 | 2024-09-02 |
| HASH | 6a3839788c0dafe591718a3fb6316d1… | 2024-08-21 | 2024-09-02 |
| HASH | 8a4fbcdec5c08e6324e3142f8b8c41d… | 2024-08-21 | 2024-09-02 |
| HASH | 1ad43ddfce147c1ec71b37011d522c1… | 2024-08-21 | 2024-09-02 |
| HASH | 72a25d959d12e3efe9604aee4b1e7e4… | 2024-08-21 | 2024-09-02 |
| IPv4 | 95.164.86.148 | 2024-08-21 | 2024-09-02 |
| IPv4 | 45.87.153.79 | 2024-08-21 | 2024-09-02 |
| IPv4 | 45.95.11.52 | 2024-08-21 | 2024-09-02 |
| IPv4 | 167.88.173.173 | 2024-08-21 | 2024-09-02 |