Korea-linked APT, also known as Lazarus Group has launched an advanced, multi-purpose malware framework, called MATA, to target Windows, Linux & macOS operating systems for a number of reasons, incl. spying & financial gain.
Kaspersky found some attacks utilising MATA (so-called because the malware authors themselves call their infrastructure MataNet), involving the infiltration of corporate entities worldwide in a hunt to steal customer databases & distribute ransomware.
Elements
The framework has several elements, such as a loader, an orchestrator (which manages & co-ordinates the processes when a device is infected) & plugins. According to artifacts in the code, Lazarus has been using it since Spring 2018.
“Malicious tool-sets used to target multiple platforms are a rare breed, as they require significant investment from the developer,” explained Kaspersky analysts, in a report issued Wed.
“They are often deployed for long-term use, which results in increased profit for the player through numerous attacks spread over time.
In the cases discovered by Kaspersky, the MATA framework was able to target 3 platforms – Windows, Linux & macOS – indicating that the attackers planned to use it for multiple purposes.”
Widespread
Victim organisations affected by the MATA framework have been found in Germany, India, Japan, Korea, Turkey & Poland, showing that the attacks were widespread.
Those victims are in a number of sectors, & include a software development company, an e-commerce company & an internet service provider.
Intentions
“From one victim, we identified one of their intentions,” according to Kaspersky. “After deploying MATA malware & its plugins, the player tried to find the victim’s databases & execute several database queries to acquire customer lists.
We are unsure if they completed the exfiltration of the customer database, but its certain that customer databases from victims are one of their interests. In addition, MATA was used to distribute VHD ransomware to one victim.”
Windows Version
The Windows version of MATA consists of several elements, says Kaspersky. Notably, a loader malware, used to load an encrypted next-stage payload, & the payload itself, which is likely the orchestrator malware.
“We’re not sure that the loaded payload is the orchestrator malware, but almost all victims have the loader and orchestrator on the same machine,” the researchers explained.
The orchestrator loads encrypted configuration data from a registry key & decrypts it with the AES algorithm. Its rationale is to load various plugins – up to 15 of them.
Command-&-Control
They perform various functions, including sending the command-&-control (C2) information about the infected host, e.g. victim ID, internal version number, Windows version, computer name, user name, IP address and MAC address; creating a HTTP proxy server; executing code; manipulating files etc..
The parent process that executes the loader malware is the ‘WMI Provider Host’ process. This usually means the player has executed malware from a remote host in order to move laterally, says Kaspersky. Also, additional hosts in the same network might also be infected.
Non-Windows versions of MATA
A Linux version of the MATA orchestrator was seen in Dec., uncovered by Netlab & called DACLs. It was described as a remote access trojan (RAT), bundled together with plugins.
Kaspersky has linked DACLs to MATA, with the Linux MATA version including both a Windows & a Linux orchestrator, a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396) & also a legitimate socat tool.
The Linux version of MATA has a logsend plugin. This plugin implements a new feature, a “scan” command that attempts to establish a TCP connection on ports 8291 (used for administration of MikroTik RouterOS devices) & 8292 (“Bloomberg Professional” software) & random IP addresses, excluding addresses belonging to private networks.
Logged
Any successful connection is logged, then sent to the C2. These logs might be used by attackers to find targets.
The macOS version of the orchestrator meanwhile was found in April, having been ported from the Linux version. It was found hiding in a trojanised macOS application based on an open-source two-factor authentication application named MinaOTP. Its plugin list is almost identical to the Linux version, except that it also contains a plugin named “plugin_socks,” responsible for configuring proxy servers.
Links to Lazarus
Lazarus Group, a.k.a. Hidden Cobra or APT 38, has existed since 2009. The APT has been linked to the highly destructive WannaCry attack that caused millions of in economic damage in 2017, the SWIFT banking attacks, as well as the high-profile attack against Sony Pictures Entertainment in 2014.
It even has created a spinoff group, the ‘mission-statement’ of which is to steal money from banks to fund Lazarus’ cyber-criminal operations, & the N. Korean regime.
Lazarus is also evolving. In Dec., it was seen linking up with Trickbot operators, which run a powerful trojan that targets US banks etc. In May, it was noticed adding macOS spyware to a two-factor authentication app, & in July, it added Magecart card-skimming code to its tools.
Unique File Names
Kaspersky has linked the MATA framework to the Lazarus APT group through 2 unique file names found in the orchestrators – c_2910.cls and k_3872.cls, which have only previously been seen in varieties of the Manuscrypt malware, a known Lazarus tool.
Earlier research by Netlab also discovered the connection of the Linux orchestrator/DACLS RAT with the APT.