Lazarus Group creates new malware framework, MATA

Lazarus Group, the notorious group of hackers assigned links to the North Korean regime, has created a new cross-platform malware framework with the aim of infiltrating corporate entities around the world, stealing customer databases, and distributing ransomware.

The framework is known as MATA and is capable of targeting Windows, Linux, and macOS operating systems . Named for the authors’ reference to the ‘MataNet’ infrastructure, it comes with a wide range of features designed to carry out a variety of malicious activities on infected machines.

The MATA campaign would have started in April 2018 towards (unidentified) companies of software development, electronic commerce and sectors related to Internet service providers located in Poland, Germany, Turkey, Korea, Japan and India, explains the firm of Kaspersky cybersecurity in its situation analysis.

The report provides a comprehensive view of the MATA framework, based on previous evidence collected by Netlab 360 researchers over the past eight months. Last December, they revealed a fully functional Remote Administration Trojan (RAT) called Dacls targeting Windows and Linux platforms that shared key infrastructure with the one operated by the Lazarus Group. Malwarebytes later discovered a macOS variant in May that was distributed via a trojanized two-factor authentication (2FA) application.

How MATA works

In the latest development, the Windows version of MATA consists of a payload with an orchestrator module (“lsass.exe”) capable of loading 15 additional plugins at the same time and executing them in memory. The plug-ins themselves are feature-rich, with features that allow malware to manipulate system files and processes, inject DLL files, and create an HTTP proxy server.

MATA plugins also allow hackers to target Linux-based diskless network devices , such as routers, firewalls, or IoT devices, and macOS systems by masquerading as a 2FA app called TinkaOTP, which is based on an authentication app. open source two-factor called MinaOTP.

Once the plugins are deployed, the hackers try to locate the databases of the compromised company and run various queries to get the customer details. It is not clear if they were successful in their attempts. Kaspersky researchers said that MATA has been used to distribute the VHD ransomware to an anonymous victim.

Kaspersky said it linked MATA to the Lazarus Group by in the unique file name format found in the orchestrator (“c_2910.cls” and “k_3872.cls”), which has previously been seen in several variants of the Manuscrypt malware.

Cybersecurity analysts believe that Lazarus Group (also called  Hidden Cobra or APT38) is sponsored by the North Korean government. The Group has a long history of attacks , including the Sony Pictures hack in 2014, the SWIFT bank hack in 2016, and the 2017 WannaCry ransomware infection , the worst ever by affected companies. 

Originally Published on: https://shahrukhathar.info/lazarus-group-creates-new-malware-framework-mata/