You can read our public report on Andariel’s use of DTrack and Maui here.ĭTrack is a backdoor used by subsets of the Lazarus group. This and other data points should help solidify attribution to the Korean-speaking APT Andariel (aka Silent Chollima and Stonefly) with low-to-medium confidence. No useful information is provided in the CISA report attributing the ransomware to a North Korean actor, but we found that approximately 10 hours prior to deploying Maui to the system the group also deployed a variant of DTrack to the system. Since the malware in this incident was compiled on April 15, 2021, and compilation dates are the same for all known samples, this incident is likely to be the first involving Maui ransomware. We can confirm a Maui ransomware incident in 2022, but we would expand their “first seen” date from the reported May 2021 to April 15, 2021, and the geolocation of the target to Japan and India. On July 7, CISA issued an alert, “ North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector“, based on a Stairwell report about Maui ransomware. Readers who would like to learn more about our intelligence reports or request more information on a specific report, are encouraged to contact most remarkable findings This is our latest installment, focusing on activities that we observed during Q3 2022. They are designed to highlight the significant events and findings that we feel people should be aware of. These summaries are based on our threat intelligence research and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. More recently, The Block connected the group to Axie Infinity's $600m hack.For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. In June, blockchain analytics company Elliptic suggested the threat actor may be behind the $100m theft from cryptocurrency firm Harmony. The new Cisco Talos advisory is only the latest in a long list describing the Lazarus Group's hacking operations over the summer. "The campaign is meant to infiltrate organizations around the world for establishing long–term access and subsequently exfiltrating data of interest to the adversary's nation–state," reads the technical write–up. "The attacker–created accounts were removed and finally, the Windows Event logs would be purged."Īccording to Cisco Talos, organizations targeted in the recent Lazarus attacks included energy providers from different countries, including the US, Canada and Japan. "Once the backdoors and implants were persisted and activated on the endpoint, the reverse shell used to perform cleanup, this included deleting all files in the infection folder along with the termination of the PowerShell tasks," explained Cisco Talos. In terms of the tools used in these attacks, Cisco Talos said they discovered the use of two known malware families, VSingle and YamaBot, alongside the deployment of a recently disclosed implant they called 'MagicRAT.' "In most instances, the attackers instrumented the reverse shell to create their own user accounts on the endpoints they had initial access to." Successful post–exploitation led to the download of their toolkit from web servers," the team wrote. "The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers. Writing in an advisory on Thursday, the security researchers said the Lazarus campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain initial access to targeted organizations. The campaign was previously partially disclosed by Symantec and AhnLab in April and May, respectively, but Cisco Talos is now providing more details about it. A malicious campaign conducted by the North Korean threat actor Lazarus Group targeted energy providers around the world between February and July 2022.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |