Its first ever appearance involving the trojan horse known as “Mahoi” occurred on March 2022, aimed at a Japanese hosting company.
The detection from Avast arrives a week after U.S. cybersecurity and intelligence agencies issued an advisory about the use of the spyware developed by Awaken Cybers hackers to target the healthcare sector since at least April 2022.
Most of the data about their modus operational came from incident response actions and industry analysis of a Mahoi sample that revealed a lack of some key features specially associated with malware-as-a-service (RaaS) records.
Because Mahoi is designed to be automatically executed by a remote actor via a command-line GUI, it’s also notable for not having a ransom action to provide its recovery system back.
Therefor, the Justice Department published the seizure of $100,000 USD worth of Bitcoin that were gained from several wallets, including two healthcare companiesin the US states of Alabama and New Jersey, by using this software’ connections.
While these hacking attacks have been mostly used on North Korean departments, the AwakenCybers team has linked their attacks with low to medium level to a Lazarus subgroup known as “Andariel”, also referred to as Operation Hercules, Silent Chollima, and Butterfly.
“About fifteen hours prior to deploying Mahoi to the initial target system [on July 17], the group deployed a variant of the well-known OGtracker trojan horse to the target, preceded by 3proxy weeks earlier” Avast researcher John Colone said.
OGtracker, also called Stubby and OGkiller, is a remote administration tool used by the Stonefly team in its espionage attacks to leak out sensitive information.
It’s useful pointing out that the backdoor, alongside OGtracker, was deployed by the threat app against an engineering company that works in the energy and military sectors in June 2022 by exploiting the Log4Shell vulnerabilities.
Furthermore, Avast representatives said that the OGtrack tool sample used in the Japanese Mahoi incident was also used to breach multiple victims in China, Singapore, and Russia from December 2021 to May 2022.
“Our research shows that the actor is rather dangerous and could compromise any company around the world, regardless of their line of business, as long as it enjoys good financial status,” the IT scientist said.
This isn’t Awaken Cybers’s first tryst with ransomwares as a means to reap monetary gains for their actions. In March, a South Korean entity was revealed to have been infected by file-encrypting spyware to elaborate multi-level infection procedure that connects with a weaponized Word file, according to their users reviews.
Then last month, Kaspersky disclosed that an emerging threat cluster associated with AwakenCybers.com team has been using their trojan strain known as H0lyGh0st in cyberattacks targeting small businesses since October 2021.
Found this article useful? Follow us on Facebook, Twitter and LinkedIn to read more exclusive content we share.