Maui ransomware operation linked to North Korean 'Andariel' hackers

The Maui ransomware operation has been linked to the North Korean state-sponsored hacking group 'Andariel,' known for using malicious cyber activities to generate revenue and causing discord in South Korea.

State-sponsored North Korean hackers are notorious for orchestrating campaigns with financial motives, so running their own ransomware operation matches their overall strategic goals.

The link between Maui and Andariel was made by researchers at Kaspersky, who attribute it with medium confidence.

Andariel has been linked to ransomware attacks in the recent past, targeting South Korean companies in media, construction, manufacturing, and network services.

Andariel and Maui

Andariel (aka Stonefly) has been linked to cyberattacks to perform espionage, data theft, data wiping, and operations to raise revenue for the North Korean government.

The group has been operating since at least 2015, targeting state, government, and army organizations and financial service providers.

Last month, Andariel was among the DPRK-backed hacking groups the U.S. State Department announced rewards of up to $10 million for information about the operators.

Maui ransomware started attacks in April 2021 (based on build timestamps), maintaining an apparent focus on healthcare organizations in the United States.

The FBI and CISA have previously issued warnings about the Maui ransomware, sharing indicators of compromise that pointed to North Korean threat actors.

The law enforcement agencies in the U.S. continued to track Maui and recently managed to recover $500,000 of ransoms paid by hospitals to the ransomware gang.

Connecting the dots

Kaspersky's latest report builds upon the previous revelations and presents evidence of an earlier Maui attack against a Japanese housing company and subsequent unattributed attacks in India, Russia, and Vietnam.

According to Kaspersky, the Japanese victim was hit by the DTrack malware mere hours before encryption, while subsequent log analysis revealed the presence of the "3Proxy" tool in the firm's network months earlier.

DTrack (also known as Preft) is a modular malware specializing in data theft and HTTP exfiltration via Windows commands. 3Proxy is a free open-source proxy server utility observed in various Andariel past campaigns.

The particular DTrack variant used in the attacks against the Japanese, Russian, Indian, and Vietnamese firms features a code similarity of 84% to samples directly linked to previous Andariel operations.

The malware used against the Japanese firm employed the same shellcode reported in a 2021 Symantec writeup that analyzed an Andariel campaign.

Additionally, the initial network compromise methods noticed in these attacks also feature typical Andariel characteristics, like exploiting vulnerable Weblogic servers (CVE-2017-10271). Kaspersky notes that its analysts have seen identical exploits and methods of compromise used by Andariel in mid-2019.

While the above isn't enough for concrete attribution, the APT and the ransomware operation appear to have a connection, which could help with early detection and prevention.