The North Korea-linked APT known as Lazarus Group has debuted an advanced, multipurpose malware framework, called MATA, to target Windows, Linux and macOS operating systems.
Kaspersky researchers uncovered a series of attacks utilizing MATA (so-called because the malware authors themselves call their infrastructure MataNet), involving the infiltration of corporate entities around the world in a quest to steal customer databases and distribute ransomware. The framework consists of several components, such as a loader, an orchestrator (which manages and coordinates the processes once a device is infected) and plugins. And according to artifacts in the code, Lazarus has been using it since spring 2018.
“Malicious toolsets used to target multiple platforms are a rare breed, as they require significant investment from the developer,” explained Kaspersky analysts, in a report issued on Wednesday. “They are often deployed for long-term use, which results in increased profit for the actor through numerous attacks spread over time. In the cases discovered by Kaspersky, the MATA framework was able to target three platforms – Windows, Linux and macOS – indicating that the attackers planned to use it for multiple purposes.”
As far as victimology, known organizations hit by the MATA framework have been located in Germany, India, Japan, Korea, Turkey and Poland — indicating that the attacks cast a wide net. Moreover, those victims are in various sectors and include a software development company, an e-commerce company and an internet service provider.
“From one victim, we identified one of their intentions,” according to Kaspersky. “After deploying MATA malware and its plugins, the actor attempted to find the victim’s databases and execute several database queries to acquire customer lists. We’re not sure if they completed the exfiltration of the customer database, but it’s certain that customer databases from victims are one of their interests. In addition, MATA was used to distribute VHD ransomware to one victim.”
The Windows version of MATA consists of several components, according to the firm: Most notably, a loader malware, which is used to load an encrypted next-stage payload; and the payload itself, which is likely the orchestrator malware.
“We’re not sure that the loaded payload is the orchestrator malware, but almost all victims have the loader and orchestrator on the same machine,” the researchers explained.
The orchestrator loads encrypted configuration data from a registry key and decrypts it with the AES algorithm. Its purpose is to load various plugins – up to 15 of them. They perform various functions, including sending the command-and-control (C2) information about the infected host, such as victim ID, internal version number, Windows version, computer name, user name, IP address and MAC address; creating an HTTP proxy server; executing code; manipulating files; and more.
The parent process that executes the loader malware is the WMI Provider Host process, which usually means the actor has executed malware from a remote host to move laterally, according to Kaspersky – meaning that additional hosts in the same network could also be infected.
Non-Windows versions of MATA
A Linux version of the MATA orchestrator was seen in December, uncovered by Netlab and dubbed DACLs. It was characterized as a remote access trojan (RAT), bundled together with a set of plugins. Kaspersky has linked DACLs to MATA, with the Linux MATA version including both a Windows and a Linux orchestrator, a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396) and a legitimate socat tool.
Note that the Linux version of MATA has a logsend plugin. This plugin implements an interesting new feature, a “scan” command that tries to establish a TCP connection on ports 8291 (used for administration of MikroTik RouterOS devices) and 8292 (“Bloomberg Professional” software) and random IP addresses excluding addresses belonging to private networks. Any successful connection is logged and sent to the C2. These logs might be used by attackers for target selection.
The macOS version of the orchestrator meanwhile was found in April, having been ported from the Linux version. It was found hiding in a trojanized macOS application based on an open-source two-factor authentication application named MinaOTP. Its plugin list is almost identical to the Linux version, except that it also contains a plugin named “plugin_socks,” responsible for configuring proxy servers.
Links to Lazarus
Lazarus Group, a.k.a. Hidden Cobra or APT 38, has been around since 2009. The APT has been linked to the highly destructive WannaCry attack that caused millions of dollars of economic damage in 2017, the SWIFT banking attacks, as well as the high-profile attack against Sony Pictures Entertainment in 2014. It even has spawned a spinoff group, the entire mission of which is to steal money from banks to fund Lazarus’ cybercriminal operations and the North Korean regime as a whole.
Lazarus is also constantly evolving: In December, it was seen hooking up with Trickbot operators, which run a powerful trojan that targets U.S. banks and others. In May, it was seen adding macOS spyware to a two-factor authentication app; and earlier in July, it added Magecart card-skimming code to its toolbag.
Kaspersky has linked the MATA framework to the Lazarus APT group through two unique file names found in the orchestrators: c_2910.cls and k_3872.cls, which have only previously been seen in several variants of the Manuscrypt malware, a known Lazarus tool. Previous research by Netlab also determined the connection between the Linux orchestrator/DACLS RAT and the APT.
“Moreover, MATA uses global configuration data including a randomly generated session ID, date-based version information, a sleep interval and multiple C2s and C2 server addresses,” added the researchers. “We’ve seen that one of the Manuscrypt variants (ab09f6a249ca88d1a036eee7a02cdd16) shares a similar configuration structure with the MATA framework. This old Manuscrypt variant is an active backdoor that has similar configuration data such as session ID, sleep interval, number of C2 addresses, infected date, and C2 addresses. They are not identical, but they have a similar structure.”