The first ever incident probably involving the ransomware household often known as Maui occurred on April 15, 2021, aimed toward an unnamed Japanese housing firm.
The disclosure from Kaspersky arrives a month after U.S. cybersecurity and intelligence businesses issued an advisory about the usage of the ransomware pressure by North Korean government-backed hackers to focus on the healthcare sector since at the least May 2021.
Much of the data about its modus operandi got here from incident response actions and business evaluation of a Maui pattern that exposed a scarcity of “several key features” sometimes related to ransomware-as-a-service (RaaS) operations.
Not solely is Maui designed to be manually executed by a distant actor by way of a command-line interface, it is also notable for not together with a ransom word to supply restoration directions.
Subsequently, the Justice Department introduced the seizure of $500,000 price of Bitcoin that have been extorted from a number of organizations, together with two healthcare amenities within the U.S. states of Kansas and Colorado, by utilizing the ransomware pressure.
While these assaults have been pinned on North Korean superior persistent menace teams, the Russian cybersecurity agency has linked the cybercrime with low to medium confidence to a Lazarus subgroup often known as Andariel, also called Operation Troy, Silent Chollima, and Stonefly.
“Approximately ten hours prior to deploying Maui to the initial target system [on April 15], the group deployed a variant of the well-known Dtrack malware to the target, preceded by 3proxy months earlier,” Kaspersky researchers Kurt Baumgartner and Seongsu Park stated.
Dtrack, additionally referred to as Valefor and Preft, is a distant entry trojan utilized by the Stonefly group in its espionage assaults to exfiltrate delicate info.
It’s price stating that the backdoor, alongside 3proxy, was deployed by the menace actor in opposition to an engineering agency that works within the power and navy sectors in February 2022 by exploiting the Log4Shell vulnerability.
“Stonefly specializes in mounting highly selective targeted attacks against targets that could yield intelligence to assist strategically important sectors such as energy, aerospace, and military equipment,” Symantec, a division of Broadcom Software, stated in April.
Furthermore, Kaspersky stated that the Dtrack pattern used within the Japanese Maui incident was additionally used to breach a number of victims in India, Vietnam, and Russia from December 2021 to February 2021.
“Our research suggests that the actor is rather opportunistic and could compromise any company around the world, regardless of their line of business, as long as it enjoys good financial standing,” the researchers stated.
This is not Andariel’s first tryst with ransomware as a way to reap financial beneficial properties for the sanctions-hit nation. In June 2021, a South Korean entity was revealed to have been contaminated by file-encrypting malware following an elaborate multi-stage an infection process that commenced with a weaponized Word doc.
Then final month, Microsoft disclosed that an rising menace cluster related to Andariel has been utilizing a ransomware pressure often known as H0lyGh0st in cyberattacks focusing on small companies since September 2021.