Andariel deploys DTrack and Maui ransomware
Contents
On July 7, 2022, the CISA published an alert, entitled, “North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector,” related to a Stairwell report, “Maui Ransomware.” Later, the Department of Justice announced that they had effectively clawed back $500,000 in ransom payments to the group, partly thanks to new legislation. We can confirm a Maui ransomware incident in 2022, and add some incident and attribution findings.
We extend their “first seen” date from the reported May 2021 to April 15th 2021, and the geolocation of the target, to Japan. Because the malware in this early incident was compiled on April 15th, 2021, and compilation dates are the same for all known samples, this incident is possibly the first ever involving the Maui ransomware.
While CISA provides no useful information in its report to attribute the ransomware to a North Korean actor, we determined that approximately …
We extend their “first seen” date from the reported May 2021 to April 15th 2021, and the geolocation of the target, to Japan. Because the malware in this early incident was compiled on April 15th, 2021, and compilation dates are the same for all known samples, this incident is possibly the first ever involving the Maui ransomware.
While CISA provides no useful information in its report to attribute the ransomware to a North Korean actor, we determined that approximately …
IoC
102a6954a16e80de814bee7ae2b893f1fa196613
145.232.235.222
1c4aa2cbe83546892c98508cad9da592089ef777
2f553cba839ca4dab201d3f8154bae2a
5bc4b606f4c0f8cd2e6787ae049bf5bb
60425a4d5ee04c8ae09bfe28ca33bf9e76a43f69548b2704956d0875a0f25145
6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67
739812e2ae1327a94e441719b885bd19
87e3fc08c01841999a8ad8fe25f12fe4
92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59ae
94db86c214f4ab401e84ad26bb0c9c246059daff
95247511a611ba3d8581c7c6b8b1a38a
a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa
ad4eababfe125110299e5a24be84472e
cf236bf5b41d26967b1ce04ebbdb4041
f2f787868a3064407d79173ac5fc0864
feb79a5a2bdf0bcf0777ee51782dc50d2901bb91
http://145.232.235.222/usr/users/dwem.cert
http://145.232.235.222/usr/users/mini.ps1
145.232.235.222
1c4aa2cbe83546892c98508cad9da592089ef777
2f553cba839ca4dab201d3f8154bae2a
5bc4b606f4c0f8cd2e6787ae049bf5bb
60425a4d5ee04c8ae09bfe28ca33bf9e76a43f69548b2704956d0875a0f25145
6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67
739812e2ae1327a94e441719b885bd19
87e3fc08c01841999a8ad8fe25f12fe4
92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59ae
94db86c214f4ab401e84ad26bb0c9c246059daff
95247511a611ba3d8581c7c6b8b1a38a
a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa
ad4eababfe125110299e5a24be84472e
cf236bf5b41d26967b1ce04ebbdb4041
f2f787868a3064407d79173ac5fc0864
feb79a5a2bdf0bcf0777ee51782dc50d2901bb91
http://145.232.235.222/usr/users/dwem.cert
http://145.232.235.222/usr/users/mini.ps1