Sunday, January 24, 02:06
Home security Lazarus Team: Steals data using MATA malware

Lazarus Team: Steals data using MATA malware

A malware framework known as MATA was recently discovered which was linked to the Lazarus hacking team, and has been used in attacks targeting corporate entities from many countries since April 2018 for ransomware development and data theft.

Among the target countries are Poland, the Germany, Turkey, Korea, Japan and India, according to researchers from the Kaspersky Lab Global Research and Analysis Team (GReAT).

Lazarus (also identified as HIDDEN COBRA by the United States Information Community and Zinc by Microsoft) used MATA to breach and infect systems companies with activities in various branches, including, but not limited to, a software development company, an Internet service provider and a company E-commerce.

While the Kaspersky report does not mention the motives of the attackers, these hackers are known for their financial motives as shown by their campaigns - they hacked Sony Films in 2014 as part of the Blockbuster operation and were behind the 2017 WannaCry ransomware global epidemic .

Since their first detection in 2007, the Lazarus team has been attacking financial institutions from India in MexicoThe Pakistan, the Philippines, South Korea, Taiwan, the Turkey, Chile and Vietnam, as well as in the fields of media and technology.

The context of the MATA malware

MATA is a modular framework with many components, such as a loader, an orchestrator and many add-ons, and can be used to infect systems Windows, Linux and MacOS.

During their attacks, attackers can use MATA to load multiple add-ons to commands running on infected system memory, manipulate files and processes, perform DLL injecting, and create proxy servers. HTTP.

Lazarus MATA malware ransomware

MATAs also allow intruders to scan for new targets on macOS and Linux-based computers (routers, firewalls ή IoT devices). On the macOS platform, MATA can also load a plugin_socks module that can be used to configure proxies.

In their analysis, Kaspersky's researchers found that hackers use a malware loader to load a encrypted payload next stage.

 "We are not sure that the loaded payload is malicious program which orchestrates the attack, but almost all the victims have the loader and the orchestrator on the same computer ", the report explains.

Once the MATA malware is fully developed, the operators try to find it databases with sensitive customer information or operational and execute database queries to collect and remove client lists.

While investigators had no convincing evidence that Lazarus was indeed able to steal the data they collected during attacks, exfiltrating such databases by their victims is definitely one of them targets along with ransomware VHD as seen in the case of one of the companies that was breached.

Researchers at Qihoo 360 Netlab have published a related analysis components of Windows and Linux of the MATA malware framework (which they named Dacls) in December 2019.

The connection of MATA with the Lazarus team

The MATA framework was linked to the Lazarus APT team by Kaspersky based on unique "orchestrator" filenames used in versions of the Manuscrypt trojan (also known as Volgmer).

Manuscrypt samples were made public by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) in 2017 through a US-CERT malware analysis report.

The Kaspersky report also cites similar global configuration data that MATA shares with Lazarus Trojan Manuscrypt, such as "a randomly generated login ID, release date information, a waiting period, and multiple C2 server addresses."

"The MATA framework is important as it can target many platforms: Windows, Linux and macOS," concludes Kaspersky.

"Furthermore, the hacker behind this advanced malware framework used it as a type of crime attack on cyberspace who steals databases customers and distributes ransomware. ”


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Instagram: How to enable notifications for specific profiles

There are some profiles on Instagram where you want to see the content they publish as soon as possible - it can be a news ...

NASA's historic launch pad is to be demolished

NASA's famous Mobile Launcher Platform-2 launch platform, which has been linked to the Apollo and Space Shuttle missions, ...

Elon Musk: Gives $ 100 million for best CO2 capture technology Ο Elon Musk δήλωσε χθες, στο λογαριασμό του στο Twitter, ότι σκοπεύει να δώσει 100 εκατομμύρια...

How can you unblock sites and services using a VPN?

The Internet is free and open to all. However, there are some sites and services whose content is blocked, which ...

Google Chrome: How to manage your extensions?

Google Chrome extensions can be very useful, as they improve your productivity when using the browser.

Intel CPUs Review: Core i7-10700 vs Core i7-10700K!

Over the years, the Intel series of processors (CPUs) introduced the series of overclocking models "K" and more recently the series ...

The DeLorean can return as an electric car

The DMC DeLorean has been out of production for almost 40 years, but it looks like the iconic vehicle will return as an electric car.

Windows RDP servers are used to support DDoS

Cybercrime gangs are abusing Windows Remote Desktop Protocol (RDP) systems to reinforce the unwanted ...

SEPA: He refused to pay a ransom and thousands of files were leaked

Thousands of stolen files of the Scottish Environmental Protection Agency (SEPA) have been published by hackers, after the organization refused to pay the ransom ...

Fines at Valve, Capcom and Zenimax for geo-exclusion of games

Following a European Commission investigation, a group of video game publishers was fined € 7,8 million following allegations of geo-exclusion practices. In...