New MATA Multi-platform malware framework linked to NK Lazarus APT

North Korea-linked Lazarus APT Group has used a new multi-platform malware framework, dubbed MATA, to target entities worldwide

The notorious Lazarus Group is using a new multi-platform malware framework, dubbed MATA, in attacks aimed at organizations worldwide, to deploy Kaspersky researchers observed that MATA was used by the threat actors to distribute ransomware (i.e. VHD ransomware) and steal customer databases.

The MATA malware framework could target Windows, Linux, and macOS operating systems. The name MATA comes from the name used by the authors to identify their infrastructure, MataNet.

The malware framework implements a wide range of features that allow attackers to fully control the infected systems.

According to the experts from Kaspersky that first analyzed the framework, the MATA campaign has been active at least since April of 2018. The hackers targeted unnamed companies in software development, e-commerce, and an internet service provider around the world, including Poland, Germany, Turkey, Korea, Japan, and India. Experts pointed out that the hackers targeted entities in various industries.

“The MATA malware framework possesses several components, such as loader, orchestrator and plugins. This comprehensive framework is able to target Windows, Linux and macOS operating systems.” states the report published by Kaspersky.

“The first artefacts we found relating to MATA were used around April 2018. After that, the actor behind this advanced malware framework used it aggressively to infiltrate corporate entities around the world. We identified several victims from our telemetry and figured out the purpose of this malware framework.”

The analysis of the MATA framework revealed several links to the Lazarus APT group, such as two unique filenames, c_2910.cls and k_3872.cls, used in MATA orchestrator and which have only previously been seen in several Manuscrypt variants

“Moreover, MATA uses global configuration data including a randomly generated session ID, date-based version information, a sleep interval and multiple C2s and C2 server addresses. We’ve seen that one of the Manuscrypt variants (ab09f6a249ca88d1a036eee7a02cdd16) shares a similar configuration structure with the MATA framework.” continues the report. “This old Manuscrypt variant is an active backdoor that has similar configuration data such as session ID, sleep interval, number of C2 addresses, infected date, and C2 addresses. They are not identical, but they have a similar structure.”

Evidence of the existence of the MATA framework was also collected by security researchers from Netlab 360, Malwarebytes, and Jamf over the past months.

In December, researchers from Netlab 360 spotted a new Remote Access Trojan (RAT), dubbed Dacls, that was used by the Lazarus APT group to target both Windows and Linux devices.

In May, Malwarebytes researchers observed the Mac version of Dacls being distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers.

The Windows version of MATA is composed of a loader used to load an encrypted next-stage payload and the orchestrator module (“lsass.exe”).

The Windows version of MATA orchestrator analyzed by Kaspersky can load 15 plugins at the same time. It can load the plugin downloading it from the specified HTTP or HTTPS server, loading the AES-encrypted plugin file from a specified disk path, or downloading the plugin file from the current MataNet connection.

The modular structure leverage plugins to implement multiple functions, such as file manipulation capabilities, DLL injection, management of system processes, and creation of an HTTP proxy server.

MATA is also able to target Linux-based diskless network devices, including such as routers, firewalls, or IoT devices.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. The group has been linked to several major cyber attacks, including the 2014 Sony Pictures hack, several SWIFT banking attacks since 2016, and the 2017 WannaCry ransomware infection.

“The MATA framework is significant in that it is able to target multiple platforms: Windows, Linux and macOS. In addition, the actor behind this advanced malware framework utilized it for a type of cybercrime attack that steals customer databases and distributes ransomware.” concludes the report. “We evaluate that this malware is going to evolve, so we will be monitoring its activity in order to protect our customers.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Mata malware platform)

[adrotate banner=”5″]

[adrotate banner=”13″]