Happy Wednesday!

Taking time to read another great article from Cisco Talos this time focused on North Korean actors that are using the MoonPeak malware which is a new remote access trojan (RAT) that appears to be under development. This report covers a LOT of information surrounding the Command and Control (C2) traffic and infrastructure.

Looking at the report, there is a lot of ways you can handle hunting for this threat but the best approach I would take is an unstructured hunt first. The report mentions ports being used that are non-standard (with some standard ones as well). Without directly hunting for Port 8936, or 9936, you can start to see what is normal in your environment. What ports appear the most in the data and can be tied to a legitimate process. Exclude those and start seeing what else you can find. Work through this “rinse-and-repeat” method to reduce the noise by removing the “normal” and then see what is left! Should be abnormal or just strange business processes! Enjoy and Happy Hunting!

MoonPeak malware from North Korean actors unveils new details on attacker infrastructure
https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #HappyHunting #readoftheday