Lazarus Group, the infamous hacking group with ties to the North Korean regime, has unleashed a brand new multi-platform malware framework with an goal to infiltrate company entities world wide, steal buyer databases, and distribute ransomware.
Able to focusing on Home windows, Linux, and macOS working programs, the MATA malware framework — so-called due to the authors’ reference to the infrastructure as “MataNet” — comes with a variety of options designed to hold out quite a lot of malicious actions on contaminated machines.
The MATA marketing campaign is alleged to have begun as early as April of 2018, with the victimology traced to unnamed corporations in software program growth, e-commerce and web service supplier sectors located in Poland, Germany, Turkey, Korea, Japan, and India, cybersecurity agency Kaspersky mentioned in its Wednesday evaluation.
The report gives a complete have a look at the MATA framework, whereas additionally constructing on earlier proof gathered by researchers from Netlab 360, Jamf, and Malwarebytes over the previous eight months.
Final December, Netlab 360 disclosed a completely purposeful distant administration Trojan (RAT) known as Dacls focusing on each Home windows and Linux platforms that shared key infrastructure with that operated by the Lazarus Group.
Then in Could, Jamf and Malwarebytes uncovered a macOS variant of Dacls RAT that was distributed through a trojanized two-factor authentication (2FA) app.
Within the newest growth, the Home windows model of MATA consists of a loader used to load an encrypted next-stage payload — an orchestrator module (“lsass.exe”) able to loading 15 extra plugins on the identical time and executing them in reminiscence.
The plugins themselves are feature-rich, boasting options that permit the malware to govern information and system processes, inject DLLs, and create an HTTP proxy server.
MATA plugins additionally permit hackers to focus on Linux-based diskless community gadgets similar to routers, firewalls or IoT gadgets, and macOS programs by masquerading as a 2FA app known as TinkaOTP, which relies on an open-source two-factor authentication software named MinaOTP.
As soon as the plugins had been deployed, the hackers then tried to find the compromised firm’s databases and execute a number of database queries to amass buyer particulars. It isn’t instantly clear in the event that they had been profitable of their makes an attempt. Moreover, Kaspersky researchers mentioned MATA was used to distribute VHD ransomware to at least one nameless sufferer.
Kaspersky mentioned it linked MATA to the Lazarus Group based mostly on the distinctive file title format discovered within the orchestrator (“c_2910.cls” and “k_3872.cls”), which has been beforehand seen in a number of variants of the Manuscrypt malware.
The state-sponsored Lazarus Group (additionally known as Hidden Cobra or APT38) has been linked to many main cyber offensives, together with the Sony Photos hack in 2014, the SWIFT banking hack in 2016, and the WannaCry ransomware an infection in 2017.
Most just lately, the APT added net skimming to their repertoire, focusing on the U.S. and European e-commerce web sites to plant JavaScript-based cost skimmers.
The hacking crew’s penchant for finishing up financially motivated assaults led the U.S. Treasury to sanction the group and its two off-shoots, Bluenoroff and Andariel, final September.
