Analytics Story: MoonPeak

Date: 2024-08-21 ID: b32c2bb4-ddb0-402f-a05d-9eae0ef4007a Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities linked to the MoonPeak malware, particularly focusing on command-and-control (C2) communications, data collection, file execution, and persistence mechanisms. Monitor network traffic for connections to known malicious IP addresses or domains associated with North Korean APT groups. Additionally, identify unexpected registry modifications and the presence of unauthorized binaries to uncover potential MoonPeak infections.

Why it matters

The MoonPeak malware is a sophisticated cyber threat attributed to North Korean advanced persistent threat (APT) groups. This malware is designed to infiltrate targeted systems, establish persistence, and communicate with command-and-control (C2) servers, enabling remote attackers to execute malicious activities. MoonPeak often evades detection by leveraging encryption and obfuscation techniques, making it challenging for traditional security measures to identify its presence. It primarily targets government entities, critical infrastructure, and organizations of strategic interest, with the ultimate goal of espionage, data exfiltration, and disruption of operations. Its evolving tactics highlight the growing complexity of nation-state cyber operations.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Allow Operation with Consent Admin Abuse Elevation Control Mechanism TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell TTP
Powershell Using memory As Backing Store PowerShell, Command and Scripting Interpreter TTP
PowerShell WebRequest Using Memory Stream PowerShell, Ingress Tool Transfer, Fileless Storage TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
SilentCleanup UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Credentials from Password Stores Chrome Extension Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Scheduled Task Created Via XML Scheduled Task, Scheduled Task/Job TTP
Windows System Reboot CommandLine System Shutdown/Reboot Anomaly
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly
WSReset UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1