Experts Uncover Details on Maui Ransomware Attack by North Korean Hackers

Cyber Security

The first ever incident possibly involving the ransomware family known as Maui occurred on April 15, 2021, aimed at an unnamed Japanese housing company.

The disclosure from Kaspersky arrives a month after U.S. cybersecurity and intelligence agencies issued an advisory about the use of the ransomware strain by North Korean government-backed hackers to target the healthcare sector since at least May 2021.

Much of the data about its modus operandi came from incident response activities and industry analysis of a Maui sample that revealed a lack of “several key features” typically associated with ransomware-as-a-service (RaaS) operations.

Not only is Maui designed to be manually executed by a remote actor via a command-line interface, it’s also notable for not including a ransom note to provide recovery instructions.

Subsequently, the Justice Department announced the seizure of $500,000 worth of Bitcoin that were extorted from several organizations, including two healthcare facilities in the U.S. states of Kansas and Colorado, by using the ransomware strain.

While these attacks have been pinned on North Korean advanced persistent threat groups, the Russian cybersecurity firm has linked the cybercrime with low to medium confidence to a Lazarus subgroup known as Andariel, also known as Operation Troy, Silent Chollima, and Stonefly.

“Approximately ten hours prior to deploying Maui to the initial target system [on April 15], the group deployed a variant of the well-known Dtrack malware to the target, preceded by 3proxy months earlier,” Kaspersky researchers Kurt Baumgartner and Seongsu Park said.

Dtrack, also called Valefor and Preft, is a remote access trojan used by the Stonefly group in its espionage attacks to exfiltrate sensitive information.

It’s worth pointing out that the backdoor, alongside 3proxy, was deployed by the threat actor against an engineering firm that works in the energy and military sectors in February 2022 by exploiting the Log4Shell vulnerability.

“Stonefly specializes in mounting highly selective targeted attacks against targets that could yield intelligence to assist strategically important sectors such as energy, aerospace, and military equipment,” Symantec, a division of Broadcom Software, said in April.

Furthermore, Kaspersky said that the Dtrack sample used in the Japanese Maui incident was also used to breach multiple victims in India, Vietnam, and Russia from December 2021 to February 2021.

“Our research suggests that the actor is rather opportunistic and could compromise any company around the world, regardless of their line of business, as long as it enjoys good financial standing,” the researchers said.

This isn’t Andariel’s first tryst with ransomware as a means to reap monetary gains for the sanctions-hit nation. In June 2021, a South Korean entity was revealed to have been infected by file-encrypting malware following an elaborate multi-stage infection procedure that commenced with a weaponized Word document.

Then last month, Microsoft disclosed that an emerging threat cluster associated with Andariel has been using a ransomware strain known as H0lyGh0st in cyberattacks targeting small businesses since September 2021.