Security researchers from Kasperski have published details about a new malware framework they have uncovered and linked to the well-known North Korean hacker group tracked as Lazarus.
Dubbed “MATA”, the new malware is a comprehensive framework designed to target Windows, Linux and macOS operating systems. The MATA malware framework includes several components, such as loader, orchestrator and plugins.
Found artifacts indicate that the MATA framework has been in use since April 2018 and has been leveraged in attacks against corporate entities across the world.
The researchers identified several victims who were infected with MATA located in Poland, Germany, Turkey, Korea, Japan and India. The victim list includes entities from various industries, such as software development, e-commerce, telecommunications.
“We assess that MATA was used by an APT actor, and from one victim we identified one of their intentions. After deploying MATA malware and its plugins, the actor attempted to find the victim’s databases and execute several database queries to acquire customer lists. We’re not sure if they completed the exfiltration of the customer database, but it’s certain that customer databases from victims are one of their interests. In addition, MATA was used to distribute VHD ransomware to one victim,” the researchers said.
The MATA framework comes in versions for Windows, Linux and macOS. The Windows version consists of several components, including loader, which has been observed to load the encrypted next-stage payload, although the researchers were not able to determine if the loaded payload is the orchestrator malware.
The Linux version has been found being distributed via a legitimate distribution site. This variant contains a Windows MATA orchestrator, a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396), a legitimate socat tool and a Linux version of the MATA orchestrator bundled together with a set of plugins, the researchers said.
As for the macOS version, it comes in the form of the malicious Apple Disk Image file, which is a Trojanized macOS application based on an open-source two-factor authentication application named MinaOTP.
“The MATA framework is significant in that it is able to target multiple platforms: Windows, Linux and macOS. In addition, the actor behind this advanced malware framework utilized it for a type of cybercrime attack that steals customer databases and distributes ransomware. We evaluate that this malware is going to evolve, so we will be monitoring its activity in order to protect our customers,” Kaspersky concludes.