Lazarus Group Deploying Fresh Malware FrameworkKaspersky: MATA Framework Used to Spread Ransomware, Steal Databases
Lazarus Group, a sophisticated hacking group with ties to the North Korean government, is now using a new malware framework to spread ransomware and steal databases, according to security firm Kaspersky.
The framework, dubbed MATA by Kaspersky, is a multiplatform tool used to target Windows, Linux and macOS operating systems, according to the researchers. The framework features several malicious components, has been active since 2018 and is used by the Lazarus Group to infiltrate corporate networks to steal victims' database and spread ransomware.
It's unclear how many victims were targeted using this new tool, but researchers note the group has utilized MATA to target victims in Poland, Germany, Turkey, Korea, Japan and India, according to Kaspersky.
"Moreover, the actor compromised systems in various industries, including a software development company, an e-commerce company and an internet service provider," the report notes.
The researchers further warn that the framework is likely to evolve into an even more advanced model in the months ahead.
"The MATA framework is significant in that it is able to target multiple platforms: Windows, Linux and macOS," Kaspersky notes. "We evaluate that this malware is going to evolve, so we will be monitoring its activity in order to protect our customers."
Targeting Multiple Operating Systems
Here's how MATA works against operating systems, according to Kaspersky:
Windows: To compromise Windows, the MATA framework uses multiple malware components. This includes a loader malware to download next-stage payload, which then loads a set of 15 plugins to perform tasks such as retrieving system information, accessing files and sending it to command-and-control servers.
In some cases, the attackers also used the framework to spread file-encrypting ransomware, the researchers note.
Linux: This malware framework consists of different components and hacking tools, the researchers say. It is also being spread through a legitimate distribution site and comes with a malicious script to exploit a widget connecter vulnerability in Atlassian Confluence Server, a work collaboration tool.
A report by security firm Netlab, which discovered this version of MATA frameworks in December 2019, noted the malware is a fully functional remote access Trojan or RAT.
macOS: Kaspersky researchers note they discovered this version of MATA framework uploaded to VirusTotal on April 8. It's spread as a Trojanized MinaOTP - a macOS app based on an open-source, two-factor authentication application.
In all three versions, the hackers used malicious plugins to find a database to victimize, particularly customer databases, according to the report.
"We’re not sure if they completed the exfiltration of the customer database, but it’s certain that customer databases from victims are one of their interests," the report notes. "In addition, MATA was used to distribute VHD ransomware to one victim."
Ties to Lazarus Group
The Kaspersky researchers note they tied the new malware framework to Lazarus Group after finding similarities between MATA's components and various Manuscrypt variants - malware which has been previously linked to the North Korean hacking group.
"We've seen that one of the Manuscrypt variants shares a similar configuration structure with the MATA framework," the report notes.
Lazarus Group, which the U.S. Cybersecurity and Infrastructure Security Agency calls Hidden Cobra, is a hacking group tied to government of North Korea. The advanced persistent threat group is suspected of carrying out a series of high-profile attacks, including the Sony Pictures hack of 2014 as well as the WannaCry ransomware attacks of 2017 (see: US Offers $5 Million Reward for N. Korea Hacker Information).
Since those attacks, CISA and the FBI have issued regular warnings about North Korea-sponsored hackers and have published data on nearly 30 malware variants associated with hacking groups suspected of working with the regime (see: Group Behind WannaCry Now Using New Malware.