According to a recent article from ThreatPost, the North Korea-linked APT known as Lazarus Group, also known by names such as the Guardians of Peace, Whois Team, Hidden Cobra and Zinc has debuted an advanced, multipurpose malware framework, called MATA, to target Windows, Linux, and macOS operating systems. Cyber threat investigators at Kaspersky have uncovered a series of attacks utilizing MATA (so-called because the malware authors themselves call their infrastructure MataNet), involving the infiltration of corporate entities around the world in a quest to steal customer databases and distribute ransomware. The framework consists of several components, such as a loader, an orchestrator (which manages and coordinates the processes once a device is infected), and plugins. According to artifacts in the code, Lazarus has been using it since spring 2018.
Malicious toolsets used to target multiple platforms are special projects, as they require significant investment from the developer group. They are often deployed for long-term use, which results in increased profit for the actor through numerous attacks spread over time. In the cases recently discovered, the MATA framework was able to target three platforms Windows, Linux, and macOS showing that the attackers planned to use it for multiple purposes over an extended period of time.
Known organizations hit by the MATA framework were in Germany, India, Japan, Korea, Turkey, and Poland indicating that the attacks cast a global net. The victim companies are in various sectors include a software development company, an e-commerce company and an Internet service provider.
After the attackers deploy MATA malware and its plugins, the actor attempts to find the victim’s databases and execute several database queries to acquire customer lists. It has not been established whether the actors were able to complete the exfiltration of the customer database. MATA was used one in one identified instance to distribute VHD ransomware to one victim. This is not a positive observation for any potential targets that entire databases could be attacked with ransomware.
The Windows version of MATA consists of several components, according to the investigators. Most notably, a loader malware, which is used to load an encrypted next-stage payload; and the payload itself, which is likely the orchestrator malware. The orchestrator loads encrypted configuration data from a registry key and decrypts it with the AES algorithm. The purpose of this action is to load various plugins, estimated up to 15. They perform various functions, including sending the command-and-control (C2) information about the infected host, such as victim ID, internal version number, Windows version, computer name, user name, IP address, and MAC address; creating a HTTP proxy server; executing code; manipulating files; and more. The parent process that executes the loader malware is the WMI Provider Host process, which usually means the actor has executed malware from a remote host to move laterally, meaning that additional hosts in the same network could also be infected.
A Linux version of the MATA orchestrator was witnessed in late 2019, dubbed DACLs by Netlab. It was characterized as a remote access trojan (RAT), bundled together with a set of plugins. Researchers have linked DACLs to MATA, with the Linux MATA version including both a Windows and a Linux orchestrator, a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396) and a legitimate social tool.
The malware even includes a logsend plugin. This plugin activates a “scan” command which attempts to connect on TCP port 8291 (used for administration of MikroTik RouterOS devices) and 8292 (“Bloomberg Professional” software) and random IP addresses excluding addresses belonging to private networks.
The macOS version of the orchestrator meanwhile was discovered in April 2020, having been ported from the Linux version. It was found hiding in a trojanized macOS application based on an open-source two-factor authentication application named MinaOTP. Its plugin list is almost identical to the Linux version, except that it also contains a plugin named “plugin_socks,” responsible for configuring proxy servers.
Lazarus Group, Hidden Cobra or APT 38, has been active since 2009. The earliest known attack that the group is responsible for is known as "Operation Troy", which took place from 2009–2012. This was a cyber-espionage campaign that utilized unsophisticated distributed denial-of-service attack (DDoS) techniques to target the South Korean government in Seoul. They are also responsible for attacks in 2011 and 2013. It is possible that they were also behind a 2007 attack targeting South Korea, but according to analysts, that is still uncertain. The APT has been linked to the highly destructive WannaCry attack that caused millions of dollars of economic damage in 2017, the SWIFT banking attacks, as well as the high-profile attack against Sony Pictures Entertainment in 2014. It even has spawned a spinoff group, the entire mission of which is to steal money from banks to fund Lazarus’ cybercriminal operations.
It is not clear who is really behind the group, but media reports have suggested the group has links to North Korea. Investigators reported in 2017 that Lazarus tended to concentrate on spying and infiltration cyberattacks whereas a sub-group within their organization, which has been named Bluenoroff, specialized in financial cyberattacks. Analysts found multiple attacks worldwide and a direct link (IP address) between Bluenoroff and North Korea. Other clues point to the repetition of the code could be a “false flag” meant to mislead investigators and pin the attack on North Korea, given that the worldwide WannaCry worm cyber-attack copied techniques from the NSA as well. This ransomware leverages an NSA exploit known as EternalBlue that a hacker group known as Shadow Brokers made public in April 2017.
Lazarus is also constantly evolving according to cyber threat experts. In December 2019, it was seen hooking up with Trickbot operators, which run a powerful trojan that targets U.S. banks and others. In May 2020, it was seen adding macOS spyware to a two-factor authentication app, and earlier in July 2020, it added Magecart card-skimming code to its tool bag.
The MATA framework has been linked to the Lazarus APT group through two unique file names found in the orchestrators: c_2910.cls and k_3872.cls, which have only previously been seen in several variants of the Manuscript malware, a known Lazarus tool. Previous research by Netlab also determined the connection between the Linux orchestrator/DACLS RAT and the APT.
MATA uses global configuration data including a randomly generated session ID, date-based version information, asleep interval, and multiple C2s and C2 server addresses. Investigators have reported that one of the Manuscript variants (ab09f6a249ca88d1a036eee7a02cdd16) shares a similar configuration structure with the MATA framework. This old Manuscript variant is an active backdoor that has similar configuration data such as session ID, sleep interval, number of C2 addresses, infected date, and C2 addresses. They are not identical, but they have a similar structure.
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitorings in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
REPORT DATE: 07302020