New North Korean attacker group fakes tank games

Microsoft has identified a novel North Korean state-sponsored attacker group, Moonstone Sleet, which targets organizations for financial and espionage goals.

Formerly known as Storm-1798, Moonstone Sleet has outgrown its links with another North Korean attacker group, Diamond Sleet, and can be classified as a separate entity, Microsoft security researchers believe.

“While Moonstone Sleet initially had overlaps with Diamond Sleet, the threat actor has since shifted to its own infrastructure and attacks, establishing itself as a distinct, well-resourced North Korean threat actor,” reads Microsoft’s report.

The US tech behemoth asses that the novel group combines “tried-and-true techniques” with unique attack methods.

For example, Moonstone Sleet sets up fake companies and job offers to lure victims into its trap. At the same time, attackers utilize infected versions of legitimate tools, develop malicious games, and deploy custom-made ransomware.

“Moonstone Sleet has an expansive set of operations supporting its financial and cyber espionage objectives. These range from deploying custom ransomware to creating a malicious game, setting up fake companies, and using IT workers,” researchers said.

According to Microsoft, attackers have been targeting victims via a malicious tank game DeTankWar. Victims were approached via messaging platforms and email, with attackers claiming to represent a game developer on the lookout for talent.

Moonstone Sleet went as far as to launch a public campaign with a dedicated website and several X accounts for fake personas it used to target victims.

“Moonstone Sleet used a fake company called C.C. Waterfall to contact targets. The email presented the game as a blockchain-related project and offered the target the opportunity to collaborate, with a link to download the game included in the body of the message,” the report said.

Once victims took the bait, hackers would send them a supposed game installation file loaded with malicious DLLs. Once deployed, the malicious payload creates services that perform various functions, such as network and user discovery.

Besides C.C. Waterfall, Moonstone Sleet set up other fake companies, such as StarGlow Ventures. Other attacks included hackers targeting companies with custom-made FakePenny ransomware.

Microsoft believes that the primary targets of North Korean hackers were software companies and developers and organizations in the aerospace industry.

The North Korean regime supports cybercrime. It allegedly has around 6,000 hackers operating in over 150 countries. Ten percent of North Korea’s GDP comes from cybercrime – specifically, fraud, theft, and ransomware.

According to a report from South Korea's primary intelligence agency, hackers affiliated with the North Korean government stole $1.2 billion worth of cryptocurrency last year.