Kaspersky experts have uncovered new attacks by Andariel, a North Korean APT subgroup of Lazarus known for campaigns in South Korea. The attacks involved modifications of the well-known malware, DTrack, as well as the brand new Maui ransomware. They targeted high-profile organizations in the US, Japan, India, Vietnam and Russia. Andariel is a state-sponsored North Korean group that operated for more than a decade within the infamous Lazarus group, and Kaspersky investigators have identified an interesting incident in Japan involving a never-before-seen rescue of Maui. However, in 2022, the group continued to expand its malware arsenal and the geography of its attacks. As CISA reported in July 2022, Andariel affected public and healthcare organizations with Maui ransomware. After their research, Kaspersky experts revealed a thorough analysis of the APT group. It shows that Andariel implements a well-known DTrack malware, which executes embedded shell code, carrying a final in-memory Windows payload. According to the Kaspersky Threat Attribution Engine, this spyware was allegedly created by the Lazarus Group and is being used to upload and download files to victims' systems, log keystrokes and conduct other actions typical of a malicious remote administration tool (RAT). . DTrack collects system information and browser history via Windows commands. Interestingly, the time spent within the target networks can last months before the activity. The new malware used by Andariel in 2021 and 2022 was dubbed Maui ransomware. We identified its release after DTrack was deployed within an organization. Maui has been used for attacks on multiple occasions, mainly targeting companies in the US and Japan. Kaspersky researchers assessed that the actor is opportunistic and can compromise any company worldwide, regardless of its business category, focusing instead on its good financial situation. “We've been following the Andariel APT group for years, and we see that their attacks are constantly evolving. What requires special attention is that the group has started to apply redemptions on a global scale, demonstrating continued financial motivations and interest”, comments Kurt Baumgartner, a security expert at Kaspersky.To learn more about Maui ransomware and other malware used by Andariel, read the report at Securelist.com To protect yourself and your business from ransom attacks, consider following these Kaspersky recommendations:
- Do not expose remote services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
- Install quickly patches available for commercial VPN solutions, providing access to remote employees and acting as gateways on your network.
- Always keep your software up to date on every device you use to prevent the rescue software from exploiting vulnerabilities.
- Focus your defense strategy on detecting lateral movements and filtering data for the Internet. Pay special attention to outgoing traffic to detect connections from cybercriminals.
- Make copies regularly of data security. Make sure you can quickly access them in case of an emergency, when needed.
- Use solutions such as Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and response service, which help to identify and stop attacks during the early stages, before attackers reach their ultimate goals.
- Use a reliable endpoint security solution such as Kaspersky Endpoint Security for Business, which is powered by exploit prevention, behavior detection and a remediation engine capable of reversing malicious actions. KESB also has self-defense mechanisms, which can prevent its removal by cybercriminals.
- What is a VPN and how does it work?
- Educate your employees to protect the corporate environment. Dedicated training courses can help, such as those provided on the Kaspersky Automated Security Awareness Platform.
Use the latest information from Threat Intelligence to stay on top of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single access point for Kaspersky IT, providing cyber-attack data and insights gathered by our team over nearly 25 years. To help companies enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information about cyberattacks and ongoing threats at no cost. Request access to this offer here. Follow all the technological news on TecheNet throughTelegram or WhatsApp. All the news in real time and without delays!Other interesting articles:
- Celebrate International Podcast Day with devolo
- Vivo X Fold+ is official: meet the most powerful folding smartphone
