Kaspersky Lab experts have discovered new attacks by Andariel, a North Korean cyber group that is part of Lazarus.
They use modifications of the well-known DTrack software, as well as a new ransomware program, Maui. Among the targets are large organizations in the US, Japan, India, Vietnam and Russia. Andariel does not focus on any specific companies, for attackers the main thing is that the target organization has a strong financial position.
The group has been operating for more than a decade and continues to expand its malware arsenal and attack geography in 2022. A July report from the U.S. Cybersecurity and Infrastructure Protection Agency reveals that Andariel attacked government and healthcare organizations with the Maui ransomware.
The attackers also use the DTrack spyware, which, according to Kaspersky Threat Attribution Engine, was created by the Lazarus group. The malware is used to upload and download files to and from victims’ systems, record keystrokes, and perform other actions typical of a malicious remote administration tool (RAT). DTrack collects system and browser history information through Windows commands. Attackers can stay on the target network for many months before launching an attack.
According to the observations of Kaspersky Lab experts, the Maui ransomware was launched after the introduction of the DTrack malware into the corporate network and was used primarily to attack companies in the US and Japan.