Threat Watch

New Cross-Platform MATA Malware Loader Linked to Lazarus Group

Lazarus Group (North Korea): The North Korean threat actor Lazarus Group has been one of the most dominant hacking groups for North Korea. Best known for being financially motivated, the group is accused of being responsible for the attacks on Sony in 2014 and the WannaCry ransomware that affected most of the world. Researchers with Kaspersky Lab’s Global Research team have identified a new malware loader framework affecting Windows, Linux and macOS devices that they have linked to the group and dubbed MATA. Components of the same malware was previously described by Qihoo 360 Netlab researchers and called Dacls at that time. The ransomware affected Poland, Germany, Turkey, Korea, Japan, and India. MATA is a modular framework with several components such as a loader, orchestrator, and multiple plugins. These plugins allow them to alter the memory running commands, manipulate files and processes, inject DLL’s, and create HTTP proxies and tunnels on Windows devices. The plugins also allow the threat actor to scan for new targets on macOS and Linux systems. After the framework is in place, the Lazarus Group will use it to find databases with sensitive information, possibly exfiltrate the data, and in one case the attackers held the data for ransom by deploying VHD ransomware. Kaspersky linked the ransomware to the group through their use of unique orchestrator filenames which were also used in the Manuscrypt Trojan, also linked to the Lazarus Group.

ANALYST NOTES

MATA is a significant loader framework because it can affect various systems. Lazarus Group has been highly motivated by financial gain in the past, which is what researchers believe is the goal of this attack campaign as well. Ransomware has been very problematic in recent months, with many groups beginning to share the identities of their victims publicly and threatening to release or auction off data if the ransom is not paid. Either way, defenders need to have the proper defenses in place to combat these attacks. This includes, but is not limited to, having off-site data backups that won’t be affected during ransomware attacks that can be accessed in case of infection. System monitoring should be in place as well. Binary Defense offers Managed Detection and Response services in conjunction with 24/7 SOC monitoring to identify attacks quickly before they have a chance to spread throughout a network.

More can be read here: https://www.bleepingcomputer.com/news/security/lazarus-hackers-deploy-ransomware-steal-data-using-mata-malware/
The Kaspersky report can be found here: https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/