MoonWind

MoonWind is a malware that was used in cyberattacks from late September to early November 2016, primarily targeting organizations in Thailand, including a utility organization. This malicious software was stored as RAR files during the initial attacks and later as executables in November. The attacks were characterized by the concurrent use of two Remote Access Trojans (RATs) - the Trochilus RAT and MoonWind. Both were hosted on the same compromised sites and used to target the same organization simultaneously. The MoonWind malware sample used for analysis was compiled with a Chinese compiler known as BlackMoon, which has also been used for the BlackMoon banking Trojan. However, this new sample differed significantly from the BlackMoon banking Trojan, leading researchers to name it MoonWind - a combination of the BlackMoon compiler artifacts and an embedded string. Once installed, MoonWind aggregates information and enters its command and control loop, reaching out to servers and ports specified in its configuration embedded in the svcohos.exe file. MoonWind has an extensive list of potential commands, with a total of 73 possible instructions that it can accept. Its network communication packet format and the data returned by it are encrypted using a static key. Despite the encryption, the decrypted data sent by MoonWind provides insights into its operations, including its C2 configuration. The MoonWind attacks represent a significant cybersecurity threat due to their targeted nature, the sophistication of the malware, and the potential for damage or disruption to the affected organizations.