The newly discovered Mahoi ransomware initially appeared in March 2022, intending to infect a Japanese web server.
Avast’s discovery comes a week after a warning was issued by American intelligence and cybersecurity organizations over the spread of spyware created by the hacking group Awaken Cybers, which has been actively aimed against the healthcare industry since, at minimum, April 2022.
Most of the information concerning their mode of operation originated from incident management activities and market information reviews of a Mahoi sample, which uncovered an absence of some critical features especially linked with malware-as-a-service (RaaS) files.
In addition to its unusual lack of a ransom operation to return its recovering system back, Mahoi is remarkable because it is intended to be constantly performed by a distant actor using a command-line GUI.
As a result, the US Department of Justice announced the seizure of Bitcoin worth US$100,000 that had been stolen from many wallets, including those belonging to two healthcare companies in the United States of Alabama and New Jersey.
Even though most of these cyber attempts have been directed against North Korean government agencies, the AwakenCybers team has connected their moderate or lower level assaults to a Lazarus subgroup called “Andariel,” also known as Project Hercules, Silent Chollima, and Butterfly.
On July 17, according to Avast researcher John Colone, “about 15 hours before sending Mahoi to the first target computer,” the gang had already sent a variation of the popular OGtracker browser hijacker to the target, following weeks of preparation via 3proxy.
For their espionage attacks, the Stonefly group uses OGtracker, also known as Stubby and OGkiller, a remote management tool.
It’s worth noting that in June 2022, the malware app exploited Log4Shell flaws to introduce the malware along with OGtracker against such an engineering firm operating in the power and defense sectors.
Experts from Avast further claimed that the same sample of the OGtrack tool employed in the Japanese Mahoi attack was also employed to breach several individuals in China and Russia between December 2021 and May 2022.
The IT expert said, “Our analysis demonstrates that the actor is fairly dangerous and might damage any worldwide corporation, regardless of their area of industry, as long as it has high financial standing.”
The use of ransomware to monetize criminal activity is not Awaken Cybers’ first rodeo. File-encrypting spyware was discovered to have attacked a South Korean organization in March, resulting in a complex multi-level infection operation tied to a malicious Word document.
Then, just last month, security firm Kaspersky revealed that beginning in October 2021, a group of cybercriminals affiliated with the AwakenCybers.com gang had been employing a trojan strain they called H0lyGh0st to launch assaults against small businesses online.