Attacks with the new MoonPeak remote access trojan, a variant of the XenoRAT malware, have been launched by North Korean state-backed threat operation UAT-5394, reports The Hacker News.
UAT-5394 — which has been suspected to be Kimsuky, its subgroup, or a separate operation leveraging Kimsuky's toolkit — established updated test virtual machines, payload-hosting sites, and command-and-control servers to support the creation of new MoonPeak RAT variants as part of the attack campaign, according to a Cisco Talos analysis. Researchers also discovered the introduction of more advanced anti-analysis techniques and overall communication mechanism alterations with every succeeding MoonPeak iteration. "The timelines of the consistent adoption of new malware and its evolution such as in the case of MoonPeak highlight that UAT-5394 continues to add and enhance more tooling into their arsenal. The rapid pace of establishing new supporting infrastructure by UAT-5394 indicates that the group is aiming to rapidly proliferate this campaign and set up more drop points and C2 servers," said researchers.
