New MATA Multi-platform malware framework linked to NK Lazarus APT

North Korea-linked Lazarus APT Group has used a new multi-platform malware framework, dubbed MATA, to target entities worldwide

The notorious Lazarus Group is using a new multi-platform malware framework, dubbed MATA, in attacks aimed at organizations worldwide, to deploy Kaspersky researchers observed that MATA was used by the threat actors to distribute ransomware (i.e. VHD ransomware) and steal customer databases.

The MATA malware framework could target Windows, Linux, and macOS operating systems. The name MATA comes from the name used by the authors to identify their infrastructure, MataNet.

The malware framework implements a wide range of features that allow attackers to fully control the infected systems.

According to the experts from Kaspersky that first analyzed the framework, the MATA campaign has been active at least since April of 2018. The hackers targeted unnamed companies in software development, e-commerce, and an internet service provider around the world, including Poland, Germany, Turkey, Korea, Japan, and India. Experts pointed out that the hackers targeted entities in various industries.

“The MATA malware framework possesses several components, such as loader, orchestrator and plugins. This comprehensive framework is able to target Windows, Linux and macOS operating systems.” states the report published by Kaspersky.

“The first artefacts we found relating to MATA were used around April 2018. After that, the actor behind this advanced malware framework used it aggressively to infiltrate corporate entities around the world. We identified several victims from our telemetry and figured out the purpose of this malware framework.”

The analysis of the MATA framework revealed several links to the Lazarus APT group, such as two unique filenames, c_2910.cls and k_3872.cls, used in MATA orchestrator and which have only previously been seen in several Manuscrypt variants

“Moreover, MATA uses global configuration data including a randomly generated session ID, date-based version information, a sleep interval and multiple C2s and C2 server addresses. We’ve seen that one of the Manuscrypt variants (ab09f6a249ca88d1a036eee7a02cdd16) shares a similar configuration structure with the MATA framework.” continues the report. “This old Manuscrypt variant is an active backdoor that has similar configuration data such as session ID, sleep interval, number of C2 addresses, infected date, and C2 addresses. They are not identical, but they have a similar structure.”

Evidence of the existence of the MATA framework was also collected by security researchers from Netlab 360, Malwarebytes, and Jamf over the past months.

In December, researchers from Netlab 360 spotted a new Remote Access Trojan (RAT), dubbed Dacls, that was used by the Lazarus APT group to target both Windows and Linux devices.

In May, Malwarebytes researchers observed the Mac version of Dacls being distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers.

The Windows version of MATA is composed of a loader used to load an encrypted next-stage payload and the orchestrator module (“lsass.exe”).

The Windows version of MATA orchestrator analyzed by Kaspersky can load 15 plugins at the same time. It can load the plugin downloading it from the specified HTTP or HTTPS server, loading the AES-encrypted plugin file from a specified disk path, or downloading the plugin file from the current MataNet connection.

The modular structure leverage plugins to implement multiple functions, such as file manipulation capabilities, DLL injection, management of system processes, and creation of an HTTP proxy server.

MATA is also able to target Linux-based diskless network devices, including such as routers, firewalls, or IoT devices.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. The group has been linked to several major cyber attacks, including the 2014 Sony Pictures hack, several SWIFT banking attacks since 2016, and the 2017 WannaCry ransomware infection.

“The MATA framework is significant in that it is able to target multiple platforms: Windows, Linux and macOS. In addition, the actor behind this advanced malware framework utilized it for a type of cybercrime attack that steals customer databases and distributes ransomware.” concludes the report. “We evaluate that this malware is going to evolve, so we will be monitoring its activity in order to protect our customers.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Mata malware platform)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.