Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities linked to the MoonPeak malware, particularly focusing on command-and-control (C2) communications, data collection, file execution, and persistence mechanisms. Monitor network traffic for connections to known malicious IP addresses or domains associated with North Korean APT groups. Additionally, identify unexpected registry modifications and the presence of unauthorized binaries to uncover potential MoonPeak infections.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2024-08-21
- Author: Teoderick Contreras, Splunk
- ID: b32c2bb4-ddb0-402f-a05d-9eae0ef4007a
Narrative
The MoonPeak malware is a sophisticated cyber threat attributed to North Korean advanced persistent threat (APT) groups. This malware is designed to infiltrate targeted systems, establish persistence, and communicate with command-and-control (C2) servers, enabling remote attackers to execute malicious activities. MoonPeak often evades detection by leveraging encryption and obfuscation techniques, making it challenging for traditional security measures to identify its presence. It primarily targets government entities, critical infrastructure, and organizations of strategic interest, with the ultimate goal of espionage, data exfiltration, and disruption of operations. Its evolving tactics highlight the growing complexity of nation-state cyber operations.
Detections
| Name |
Technique |
Type |
| Allow Operation with Consent Admin |
Abuse Elevation Control Mechanism |
TTP |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| PowerShell WebRequest Using Memory Stream |
PowerShell, Ingress Tool Transfer, Fileless Storage |
TTP |
| Powershell Processing Stream Of Data |
Command and Scripting Interpreter, PowerShell |
TTP |
| Powershell Using memory As Backing Store |
PowerShell, Command and Scripting Interpreter |
TTP |
| Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
| Recon Using WMI Class |
Gather Victim Host Information, PowerShell |
Anomaly |
| Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
| Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
| SilentCleanup UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Suspicious Process File Path |
Create or Modify System Process |
TTP |
| Suspicious Scheduled Task from Public Directory |
Scheduled Task, Scheduled Task/Job |
Anomaly |
| WSReset UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Windows Credential Access From Browser Password Store |
Query Registry |
Anomaly |
| Windows Credentials from Password Stores Chrome Extension Access |
Query Registry |
Anomaly |
| Windows Credentials from Password Stores Chrome LocalState Access |
Query Registry |
Anomaly |
| Windows Credentials from Password Stores Chrome Login Data Access |
Query Registry |
Anomaly |
| Windows Scheduled Task Created Via XML |
Scheduled Task, Scheduled Task/Job |
TTP |
| Windows System Reboot CommandLine |
System Shutdown/Reboot |
Anomaly |
| Windows System Shutdown CommandLine |
System Shutdown/Reboot |
Anomaly |
Reference
source | version: 1