The primary ever incident probably involving the ransomware household generally known as Maui occurred on April 15, 2021, geared toward an unnamed Japanese housing firm.
The disclosure from Kaspersky arrives a month after U.S. cybersecurity and intelligence companies issued an advisory about using the ransomware pressure by North Korean government-backed hackers to focus on the healthcare sector since no less than Could 2021.
A lot of the information about its modus operandi got here from incident response actions and trade evaluation of a Maui pattern that exposed a scarcity of “a number of key options” sometimes related to ransomware-as-a-service (RaaS) operations.
Not solely is Maui designed to be manually executed by a distant actor through a command-line interface, it is also notable for not together with a ransom be aware to supply restoration directions.
Subsequently, the Justice Division introduced the seizure of $500,000 value of Bitcoin that have been extorted from a number of organizations, together with two healthcare amenities within the U.S. states of Kansas and Colorado, by utilizing the ransomware pressure.
Whereas these assaults have been pinned on North Korean superior persistent risk teams, the Russian cybersecurity agency has linked the cybercrime with low to medium confidence to a Lazarus subgroup generally known as Andariel, also called Operation Troy, Silent Chollima, and Stonefly.
“Roughly ten hours previous to deploying Maui to the preliminary goal system [on April 15], the group deployed a variant of the well-known Dtrack malware to the goal, preceded by 3proxy months earlier,” Kaspersky researchers Kurt Baumgartner and Seongsu Park mentioned.
Dtrack, additionally referred to as Valefor and Preft, is a distant entry trojan utilized by the Stonefly group in its espionage assaults to exfiltrate delicate data.
It is value declaring that the backdoor, alongside 3proxy, was deployed by the risk actor in opposition to an engineering agency that works within the power and navy sectors in February 2022 by exploiting the Log4Shell vulnerability.
“Stonefly focuses on mounting extremely selective focused assaults in opposition to targets that might yield intelligence to help strategically essential sectors equivalent to power, aerospace, and navy gear,” Symantec, a division of Broadcom Software program, mentioned in April.
Moreover, Kaspersky mentioned that the Dtrack pattern used within the Japanese Maui incident was additionally used to breach a number of victims in India, Vietnam, and Russia from December 2021 to February 2021.
“Our analysis means that the actor is moderately opportunistic and will compromise any firm world wide, no matter their line of enterprise, so long as it enjoys good monetary standing,” the researchers mentioned.
This is not Andariel’s first tryst with ransomware as a method to reap financial good points for the sanctions-hit nation. In June 2021, a South Korean entity was revealed to have been contaminated by file-encrypting malware following an elaborate multi-stage an infection process that commenced with a weaponized Phrase doc.
Then final month, Microsoft disclosed that an rising risk cluster related to Andariel has been utilizing a ransomware pressure generally known as H0lyGh0st in cyberattacks focusing on small companies since September 2021.
