Show vulnerabilities with patch / with exploit
22 July 2020

North Korean hackers add new sophisticated cyber tool to their arsenal


North Korean hackers add new sophisticated cyber tool to their arsenal

Security researchers from Kasperski have published details about a new malware framework they have uncovered and linked to the well-known North Korean hacker group tracked as Lazarus.

Dubbed “MATA”, the new malware is a comprehensive framework designed to target Windows, Linux and macOS operating systems. The MATA malware framework includes several components, such as loader, orchestrator and plugins.

Found artifacts indicate that the MATA framework has been in use since April 2018 and has been leveraged in attacks against corporate entities across the world.

The researchers identified several victims who were infected with MATA located in Poland, Germany, Turkey, Korea, Japan and India. The victim list includes entities from various industries, such as software development, e-commerce, telecommunications.

“We assess that MATA was used by an APT actor, and from one victim we identified one of their intentions. After deploying MATA malware and its plugins, the actor attempted to find the victim’s databases and execute several database queries to acquire customer lists. We’re not sure if they completed the exfiltration of the customer database, but it’s certain that customer databases from victims are one of their interests. In addition, MATA was used to distribute VHD ransomware to one victim,” the researchers said.

The MATA framework comes in versions for Windows, Linux and macOS. The Windows version consists of several components, including loader, which has been observed to load the encrypted next-stage payload, although the researchers were not able to determine if the loaded payload is the orchestrator malware.

The Linux version has been found being distributed via a legitimate distribution site. This variant contains a Windows MATA orchestrator, a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396), a legitimate socat tool and a Linux version of the MATA orchestrator bundled together with a set of plugins, the researchers said.

As for the macOS version, it comes in the form of the malicious Apple Disk Image file, which is a Trojanized macOS application based on an open-source two-factor authentication application named MinaOTP.

“The MATA framework is significant in that it is able to target multiple platforms: Windows, Linux and macOS. In addition, the actor behind this advanced malware framework utilized it for a type of cybercrime attack that steals customer databases and distributes ransomware. We evaluate that this malware is going to evolve, so we will be monitoring its activity in order to protect our customers,” Kaspersky concludes.

Back to the list

Latest Posts

Vulnerabilities in Gmail and iCloud allow hiding the sender

Vulnerabilities in Gmail and iCloud allow hiding the sender

Manipulating email header fields allows for various types of attacks to deceive the addressee.
6 August 2020
Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020
Hacker published passwords for over 900 corporate VPN servers

Hacker published passwords for over 900 corporate VPN servers

The list was published on a Russian-speaking hacker forum frequented by different ransomware operators.
5 August 2020