A North Korean state-sponsored hacking group, Andariel, has been linked with the Maui ransomware operation. The group is working for financial gains, as well as causing disruption in South Korea.

Maui and Andariel connection

Researchers from Kaspersky have observed the TTPs used in a Maui ransomware incident and found it similar to past Andariel (aka Stonefly/Silent Chollima) activity.
  • Both used genuine proxy and tunneling tools after initial infection or to maintain access, and used Powershell scripts along with Bitsadmin to download more threats.
  • Similar use of exploits was observed to target known yet unpatched flaws in public services. For example, WebLogic server and HFS.
  • They exclusively deployed DTrack, (aka Preft), and then time spent inside victim networks lasted for months before any activity.
  • Further, the attackers had deployed ransomware worldwide, implying their ongoing financial motivations and interest.

Recently, the FBI issued warnings regarding Maui ransomware and shared IoCs pointing fingers at North Korean threat actors.

Use of DTrack and 3Proxy

In another attack by Andariel, a Japanese victim was hit using the DTrack malware just hours before encryption. Log analysis further disclosed the existence and use of the 3Proxy tool in the firm's network months prior.
  • DTrack is a modular malware used in data theft and HTTP exfiltration using Windows commands. 3Proxy is an open-source proxy server utility used in multiple Andariel campaigns.
  • The attackers used Maui ransomware to encrypt servers in healthcare services, such as electronic health records, diagnostics services, imaging services, and intranet services.

The DTrack variant used in the attacks against Japanese, Russian, Indian, and Vietnamese firms had 84% code similarity to samples directly linked with previous operations by Andariel.

Conclusion

The Maui ransomware operation apparently has a connection with Andariel. Thus, using the provided IoCs can be helpful in real-time detection and prevention. Organizations should leverage threat intel services to quickly identify TTPs and get suggestions on the best workaround against such threats.
Cyware Publisher

Publisher

Cyware