A malware framework known as MATA was recently discovered which was linked to the Lazarus hacking team, and has been used in attacks targeting corporate entities from many countries since April 2018 for ransomware development and data theft.
Among the target countries are Poland, the Germany, Turkey, Korea, Japan and India, according to researchers from the Kaspersky Lab Global Research and Analysis Team (GReAT).
Lazarus (also identified as HIDDEN COBRA by the United States Information Community and Zinc by Microsoft) used MATA to breach and infect systems companies with activities in various branches, including, but not limited to, a software development company, an Internet service provider and a company E-commerce.
While the Kaspersky report does not mention the motives of the attackers, these hackers are known for their financial motives as shown by their campaigns - they hacked Sony Films in 2014 as part of the Blockbuster operation and were behind the 2017 WannaCry ransomware global epidemic .
Since their first detection in 2007, the Lazarus team has been attacking financial institutions from India in MexicoThe Pakistan, the Philippines, South Korea, Taiwan, the Turkey, Chile and Vietnam, as well as in the fields of media and technology.
The context of the MATA malware
During their attacks, attackers can use MATA to load multiple add-ons to commands running on infected system memory, manipulate files and processes, perform DLL injecting, and create proxy servers. HTTP.
MATAs also allow intruders to scan for new targets on macOS and Linux-based computers (routers, firewalls ή IoT devices). On the macOS platform, MATA can also load a plugin_socks module that can be used to configure proxies.
In their analysis, Kaspersky's researchers found that hackers use a malware loader to load a encrypted payload next stage.
"We are not sure that the loaded payload is malicious program which orchestrates the attack, but almost all the victims have the loader and the orchestrator on the same computer ", the report explains.
While investigators had no convincing evidence that Lazarus was indeed able to steal the data they collected during attacks, exfiltrating such databases by their victims is definitely one of them targets along with ransomware VHD as seen in the case of one of the companies that was breached.
Researchers at Qihoo 360 Netlab have published a related analysis components of Windows and Linux of the MATA malware framework (which they named Dacls) in December 2019.
The connection of MATA with the Lazarus team
The MATA framework was linked to the Lazarus APT team by Kaspersky based on unique "orchestrator" filenames used in versions of the Manuscrypt trojan (also known as Volgmer).
Manuscrypt samples were made public by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) in 2017 through a US-CERT malware analysis report.
The Kaspersky report also cites similar global configuration data that MATA shares with Lazarus Trojan Manuscrypt, such as "a randomly generated login ID, release date information, a waiting period, and multiple C2 server addresses."
"The MATA framework is important as it can target many platforms: Windows, Linux and macOS," concludes Kaspersky.