Cybersecurity researchers from Kaspersky have published a new advisory providing additional technical details and attribution findings regarding the Maui ransomware incident unveiled by the Cybersecurity and Infrastructure Security Agency (CISA) in July.
The report also extends CISA’s “first seen” date from May 2021 to April 15 2021, and the geolocation of the target to other countries, including Japan, India, Vietnam and Russia.
“Because the malware in this early incident was compiled on April 15th, 2021, and compilation dates are the same for all known samples, this incident is possibly the first ever involving the Maui ransomware,” Kaspersky wrote.
Additionally, the security experts said that while CISA did not provide “useful information” that would link the ransomware to a North Korean actor in its advisory, Kaspersky did manage to make such a connection.
“We determined that approximately 10 hours prior to deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the target, preceded by 3proxy months earlier,” Kaspersky said.
Specifically, the Kaspersky Threat Attribution Engine (KTAE) noticed the DTrack malware from the victim contained a high degree of code similarity (84%) with previously known DTrack malware.
“This data point, along with others, should openly help solidify the attribution to the Korean-speaking APT [Advanced Persistent Threat] Andariel, also known as Silent Chollima and Stonefly, with low to medium confidence.”
From a technical standpoint, the actor behind these attacks reportedly used legitimate proxy and tunneling tools after initial infection or deployed them to maintain access. They would then have used Powershell scripts and Bitsadmin to download additional malware.
Kaspersky also said that dwell time within target networks in some cases lasted for months prior to activity and that the ransomware deployment tactics observed on a global scale demonstrated ongoing financial motivations and scale of interest.
“Our research suggests that the actor is rather opportunistic and could compromise any company around the world, regardless of their line of business, as long as it enjoys good financial standing,” the advisory read.
“It is probable that the actor favors vulnerable Internet-exposed web services. Additionally, the Andariel deployed ransomware selectively to make financial profits.”
The Kaspersky report comes weeks after the US government increased its reward for information on North Korean state-linked hackers to $10m.