07-23-2020 , 10:49 PM
Quote:The North Korean APT has been using the framework, called MATA, for a number of purposes, from spying to financial gain.
The North Korea-linked APT known as Lazarus Group has debuted an advanced, multipurpose malware framework, called MATA, to target Windows, Linux and macOS operating systems.
Kaspersky researchers uncovered a series of attacks utilizing MATA (so-called because the malware authors themselves call their infrastructure MataNet), involving the infiltration of corporate entities around the world in a quest to steal customer databases and distribute ransomware. The framework consists of several components, such as a loader, an orchestrator (which manages and coordinates the processes once a device is infected) and plugins. And according to artifacts in the code, Lazarus has been using it since spring 2018.
“Malicious toolsets used to target multiple platforms are a rare breed, as they require significant investment from the developer,” explained Kaspersky analysts, in a report issued on Wednesday. “They are often deployed for long-term use, which results in increased profit for the actor through numerous attacks spread over time. In the cases discovered by Kaspersky, the MATA framework was able to target three platforms – Windows, Linux and macOS – indicating that the attackers planned to use it for multiple purposes.”
As far as victimology, known organizations hit by the MATA framework have been located in Germany, India, Japan, Korea, Turkey and Poland — indicating that the attacks cast a wide net. Moreover, those victims are in various sectors, and include a software development company, an e-commerce company and an internet service provider.
“From one victim, we identified one of their intentions,” according to Kaspersky. “After deploying MATA malware and its plugins, the actor attempted to find the victim’s databases and execute several database queries to acquire customer lists. We’re not sure if they completed the exfiltration of the customer database, but it’s certain that customer databases from victims are one of their interests. In addition, MATA was used to distribute VHD ransomware to one victim.”
Continue HERE