Experts linked Maui ransomware to North Korean Andariel APT

Cybersecurity researchers from Kaspersky linked the Maui ransomware to the North Korea-backed Andariel APT group.

Kaspersky linked with medium confidence the Maui ransomware operation to the North Korea-backed APT group Andariel, which is considered a division of the Lazarus APT Group, 

North Korean nation-state actors used Maui ransomware to encrypt servers providing healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services.

Kaspersky experts noticed that approximately ten hours prior to deploying Maui ransomware to the initial target system, the threat actors deployed a variant of the well-known DTrack malware to the target preceded by 3proxy months earlier. Both malicious codes are recognized as part of Andariel’s arsenal.

Kaspersky experts discovered that the DTrack variant employed in the attacks against the Japanese, Russian, Indian, and Vietnamese companies has a code similarity of 84% to samples used in cyberespionage campaigns attributed to the Andariel APT.

The Andariel APT (aka Stonefly) has been active since at least 2015, it was involved in several attacks attributed to the North Korean government.

The researchers speculate the threat actor is rather opportunistic and could potentially target any company around the world with good financial standing and with vulnerable Internet-exposed web services.

“Based on the modus operandi of this attack, we conclude that the actor’s TTPs behind the Maui ransomware incident is remarkably similar to past Andariel/Stonefly/Silent Chollima activity:

• Using legitimate proxy and tunneling tools after initial infection or deploying them to maintain access, and using Powershell scripts and Bitsadmin to download additional malware;
• Using exploits to target known but unpatched vulnerable public services, such as WebLogic and HFS;
• Exclusively deploying DTrack, also known as Preft;
• Dwell time within target networks can last for months prior to activity;
• Deploying ransomware on a global scale, demonstrating ongoing financial motivations and scale of interest“

In April 2020, the U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation released a joint advisory that is warning organizations worldwide about the ‘significant cyber threat’ posed by the North Korean nation-state actors to the global banking and financial institutions.

At the time, the U.S. government also offered a monetary reward of up to $5 million to anyone who can provide ‘information about the activities carried out by North Korea-linked APT groups. The authorities will also pay for information about past hacking campaigns.

In July, the U.S. State Department increased the rewards to $10 million.

People that have information on any individuals associated with the North Korea-linked APT groups (such as Andariel, APT38, Bluenoroff, Guardians of Peace, Kimsuky, or Lazarus Group) and who are involved in targeting U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act, may be eligible for a reward.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Maui ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]