Multifaceted MATA Malware Framework Linked to North Korea

“Used to aggressively infiltrate corporate entities all around the world”

Russian stability organization Kaspersky claims it has found a novel new multi-platform malware framework featuring a loaded array of loaders, orchestrators and plugins that is equipped to target Windows, Linux and macOS running programs.

Dubbing it “MATA”, Kasperky linked it (arguably somewhat tenuously) to the North Korean Lazarus APT. (MATA “uses two special filenames, c_2910.cls and k_3872.cls” mentioned in the US-CERT publication on North Korean risk actors).

Worryingly, Kaspersky mentioned the Linux model (“containing distinct MATA documents together with a set of hacking tools”) was uncovered on a legit distribution web page.

Kaspersky did not title the web page or the distro. (Laptop Business enterprise Overview has contacted the organization for extra particulars and will update when we get them).

The offer provided a Linux software for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396), a legit socat software and a Linux model of the MATA orchestrator bundled together with a set of plugins. (China-primarily based stability vendor Netlab has also posted a specific blog site on this malware.)

The orchestrator malware hundreds encrypted configuration information from a registry key and decrypts it with the AES algorithm, Kaspersky mentioned. It can then go on to load 15 plugins at the exact same time. There are a few means to load them:

• Download the plugin from the specified HTTP or HTTPS server
• Load the AES-encrypted plugin file from a specified disk path
• Download the plugin file from the current MataNet relationship

“For covert communication, they hire TLS1.two connections with the support of the “openssl-one.one.0f” open supply library, which is statically linked inside this module”, Kaspersky’s scientists mentioned. “Additionally, the site visitors amongst MataNet nodes is encrypted with a random RC4 session key. MataNet implements both consumer and server mode. In server mode the certification file “c_2910.cls” and the non-public key file “k_3872.cls” are loaded for TLS encryption.”

The 1st document of the framework getting used goes as far back again as April 2018 and considering that then it has been used to “aggressively to infiltrate corporate entities all around the world”, together with to steal customer lists and distribute ransomware.

Read This: Trojan Cellular Banking Malware Bot with ‘Enormous Scope’ Uncovered by Researchers

Kacey Clark, risk researcher at cyber stability organization Electronic Shadows, explained to Laptop Business enterprise Overview: “To day, reporting suggests that MATA has actively been used to target victims in different sectors, this kind of as e-commerce and technological innovation, throughout Germany, India, Japan, Korea, Turkey, and Poland.”

“Researchers have prompt that the links to Lazarus are owing to the discovery of two special filenames in MATA that have only previously been witnessed in malware associated with Lazarus. The links amongst Lazarus and MATA are tentative at this stage.”

VHD Ransomware

Kaspersky mentioned it also uncovered evidence in some MATA attacks of a specially awful ransomware referred to as VHD ransomware.

Not only does this encrypt all information on the Laptop with the strongest encryption strategy, it removes all shadow copies of documents and system restore details, to prevent the consumer from recovering anything on their have, and adjustments the file extension to .vhd, which tends to make the documents permanently inoperative.

Indicators of Compromise can be uncovered here.