Kaspersky experts have uncovered new attacks by Andariel, an advanced persistent threat (APT) subgroup of Lazarus, known for its campaigns in South Korea. The attacks involved modifications of the well-known malware, DTrack, as well as the use of a brand-new Maui ransomware. They targeted high-profile organizations in the USA, Japan, India, Vietnam and Russia.
Andariel has operated for over a decade within infamous Lazarus group, and Kaspersky researchers identified an interesting incident in Japan involving a never-before-seen Maui ransomware. However, in 2022, the group continued expanding its malware arsenal and the geography of its attacks. As CISA reported in July 2022, Andariel affected public and healthcare organizations with the Maui ransomware. Following their research, Kaspersky experts have revealed a thorough analysis of the APT group.
It shows that Andariel deploys a well-known DTrack malware, which executes an embedded shellcode, loading a final Windows in-memory payload. According to Kaspersky Threat Attribution Engine, this spyware was reportedly created by the Lazarus Group and is being used to upload and download files to victims’ systems, record keystrokes and conduct other actions typical of a malicious remote administration tool (RAT). DTrack collects system information and browser history via Windows commands. Interestingly, dwell time within target networks can last for months prior to activity.
The novel malware used by Andariel in 2021 and 2022 has been dubbed Maui ransomware. Kaspersky experts identified its launch after DTrack was deployed within an organization. Maui has been employed for attacks on multiple occasions, primarily targeting companies in the USA and Japan. Kaspersky researchers have assessed that the actor is opportunistic and may compromise any company around the world regardless of their category of business, instead focusing on their good financial standing.
“We’ve been tracking of the Andariel APT group for years, and see that their attacks are constantly evolving. What requires special attention is that the group has started deploying ransomware on a global scale, demonstrating ongoing financial motivations and interest,”’ comments Kurt Baumgartner, a security expert at Kaspersky.
