Lazarus subgroup Andariel expands its attacks with new ransomware

Woburn, MA – August 9, 2022 – Kaspersky experts have uncovered new attacks by Andariel, an advanced persistent threat (APT) subgroup of Lazarus, known for its campaigns in South Korea. The attacks involved modifications of the well-known malware, DTrack, as well as the use of the brand-new Maui ransomware. They targeted high-profile organizations in the U.S., Japan, India, Vietnam and Russia.

Andariel has operated for over a decade within the infamous Lazarus group. Kaspersky researchers had previously identified an interesting incident in Japan involving the never-before-seen Maui ransomware, however, in 2022, the group continued expanding its malware arsenal and the geography of its attacks. As CISA reported in July 2022, Andariel affected public and healthcare organizations with the Maui ransomware. Following their research of the activity, Kaspersky experts have revealed a thorough analysis of the APT group.

The research found that Andariel deploys a well-known DTrack malware, which executes an embedded shellcode, loading a final Windows in-memory payload. According to Kaspersky Threat Attribution Engine, this spyware was reportedly created by the Lazarus Group and is used to upload and download files to victims’ systems, record keystrokes and conduct other actions typical of a malicious remote administration tool (RAT). DTrack collects system information and browser history via Windows commands. Interestingly, dwell time within target networks can last for months prior to activity.

The novel malware used by Andariel in 2021 and 2022 has been dubbed Maui ransomware. Kaspersky experts identified its launch after DTrack was deployed within an organization. Maui has been employed for attacks on multiple occasions, primarily targeting companies in the U.S. and Japan. Kaspersky researchers have assessed that the actor is opportunistic and may compromise any company around the world, regardless of their category of business, instead focusing on their good financial standing.

“We’ve been tracking of the Andariel APT group for years, and see that their attacks are constantly evolving,” said Kurt Baumgartner, security expert at Kaspersky. “What requires special attention is that the group has started deploying ransomware on a global scale, demonstrating ongoing financial motivations and interest.”

To learn more about Maui ransomware and other malware used by Andariel, read the report on Securelist.com.

To protect yourself and your business from ransomware attacks, consider following these recommendations:

• Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
• Promptly install available patches for commercial VPN solutions, providing access for remote employees and acting as gateways in your network.
• Always keep software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities.
• Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminals' connections.
• Back up data regularly. Make sure you can quickly access it in an emergency when needed. 
• Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response service, which help identify and stop attacks during the early stages, before attackers reach their final goals.
• Educate your employees to protect the corporate environment. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform.
• Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business, that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms, which can prevent its removal by cybercriminals.
• Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for almost 25 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Media Contact

Sawyer Van Horn

sawyer.vanhorn@Kaspersky.com

(781) 503-1866