Suggestions

Moonstone Sleet: Korean star with dangerous software

June 14, 2024
by
1 min read

TLDR:

North Korean threat actors, such as Moonstone Sleet, are distributing malicious packages through the NPM registry to compromise supply chains. A new threat actor, Moonstone Sleet, has emerged with similar tactics. Microsoft has highlighted the emergence of Moonstone Sleet and their TTPs.

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, North Korean threat actors, particularly Jade Sleet, were reported to be compromising supply chains through the open-source ecosystem by distributing malicious packages through the public npm registry. Moonstone Sleet, a new threat actor, has emerged with similar tactics, posing ongoing threats to the open-source software supply chain.

Key Findings:

  • Continued publication of malicious packages on NPM
  • Moonstone Sleet targeting open-source software with similar tactics to other North Korean groups
  • Microsoft highlighting the emergence of Moonstone Sleet and their TTPs

Malicious NPM Packages:

Moonstone Sleet distributes malware through malicious NPM packages on the public NPM registry, increasing the exposure of developers to potential compromise. The packages attributed to Jade Sleet and Moonstone Sleet exhibit distinct differences in code style and structure, reflecting varying strategies used by different threat groups.

Recent Developments:

Microsoft has identified Moonstone Sleet as a rising North Korean threat actor utilizing tactics resembling other state-sponsored actors. Moonstone Sleet has been spreading malicious packages through freelancing websites, LinkedIn, and the public npm registry, elevating the threat to a wider audience and showcasing evolving tactics.

Changes in Attack Flow:

In the second quarter of 2024, the complexity of malicious packages increased, with attackers adding obfuscation and targeting Linux systems as well. The ongoing publication of malicious packages underscores the persistent nature of North Korean threat actors’ campaign, emphasizing the importance of collaboration in the security community to identify and thwart these attacks.

Post Views: 104

Adrian Johnson

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and