Consultants Uncover Particulars on Maui Ransomware Assault by North Korean Hackers

Maui Ransomware Attack

The primary ever incident presumably involving the ransomware household referred to as Maui occurred on April 15, 2021, geared toward an unnamed Japanese housing firm.

The disclosure from Kaspersky arrives a month after U.S. cybersecurity and intelligence companies issued an advisory about the usage of the ransomware pressure by North Korean government-backed hackers to focus on the healthcare sector since a minimum of Might 2021.

A lot of the info about its modus operandi got here from incident response actions and business evaluation of a Maui pattern that exposed an absence of “a number of key options” usually related to ransomware-as-a-service (RaaS) operations.

Not solely is Maui designed to be manually executed by a distant actor through a command-line interface, it is also notable for not together with a ransom word to offer restoration directions.


Subsequently, the Justice Division introduced the seizure of $500,000 value of Bitcoin that have been extorted from a number of organizations, together with two healthcare amenities within the U.S. states of Kansas and Colorado, by utilizing the ransomware pressure.

Whereas these assaults have been pinned on North Korean superior persistent risk teams, the Russian cybersecurity agency has linked the cybercrime with low to medium confidence to a Lazarus subgroup referred to as Andariel, also referred to as Operation Troy, Silent Chollima, and Stonefly.

“Roughly ten hours previous to deploying Maui to the preliminary goal system [on April 15], the group deployed a variant of the well-known Dtrack malware to the goal, preceded by 3proxy months earlier,” Kaspersky researchers Kurt Baumgartner and Seongsu Park stated.

Dtrack, additionally known as Valefor and Preft, is a distant entry trojan utilized by the Stonefly group in its espionage assaults to exfiltrate delicate info.

Maui Ransomware Attack

It is value declaring that the backdoor, alongside 3proxy, was deployed by the risk actor towards an engineering agency that works within the power and army sectors in February 2022 by exploiting the Log4Shell vulnerability.

“Stonefly makes a speciality of mounting extremely selective focused assaults towards targets that might yield intelligence to help strategically necessary sectors equivalent to power, aerospace, and army tools,” Symantec, a division of Broadcom Software program, stated in April.

Moreover, Kaspersky stated that the Dtrack pattern used within the Japanese Maui incident was additionally used to breach a number of victims in India, Vietnam, and Russia from December 2021 to February 2021.


“Our analysis means that the actor is somewhat opportunistic and will compromise any firm all over the world, no matter their line of enterprise, so long as it enjoys good monetary standing,” the researchers stated.

This is not Andariel’s first tryst with ransomware as a way to reap financial positive factors for the sanctions-hit nation. In June 2021, a South Korean entity was revealed to have been contaminated by file-encrypting malware following an elaborate multi-stage an infection process that commenced with a weaponized Phrase doc.

Then final month, Microsoft disclosed that an rising risk cluster related to Andariel has been utilizing a ransomware pressure referred to as H0lyGh0st in cyberattacks focusing on small companies since September 2021.

Supply hyperlink

Leave a Comment

Your email address will not be published.