View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Kaspersky Identifies All-Singing, Multi-OS Malware Framework Dubbed “MATA”

"Used to aggressively infiltrate corporate entities around the world"

By claudia glover

Russian security firm Kaspersky says it has discovered a novel new multi-platform malware framework featuring a rich array of loaders, orchestrators and plugins that is able to target Windows, Linux and macOS operating systems.

Dubbing it “MATA”, Kasperky linked it (arguably somewhat tenuously) to the North Korean Lazarus APT. (MATA “uses two unique filenames, c_2910.cls and k_3872.cls” mentioned in the US-CERT publication on North Korean threat actors).

Worryingly, Kaspersky said the Linux version (“containing different MATA files together with a set of hacking tools”) was found on a legitimate distribution site.

Kaspersky did not name the site or the distro. (Computer Business Review has contacted the company for more details and will update when we get them).

The package included a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396), a legitimate socat tool and a Linux version of the MATA orchestrator bundled together with a set of plugins. (China-based security vendor Netlab has also published a detailed blog on this malware.)

The orchestrator malware loads encrypted configuration data from a registry key and decrypts it with the AES algorithm, Kaspersky said. It can then go on to load 15 plugins at the same time. There are three ways to load them:

  • Download the plugin from the specified HTTP or HTTPS server
  • Load the AES-encrypted plugin file from a specified disk path
  • Download the plugin file from the current MataNet connection

“For covert communication, they employ TLS1.2 connections with the help of the “openssl-1.1.0f” open source library, which is statically linked inside this module”, Kaspersky’s researchers said. “Additionally, the traffic between MataNet nodes is encrypted with a random RC4 session key. MataNet implements both client and server mode. In server mode the certificate file “c_2910.cls” and the private key file “k_3872.cls” are loaded for TLS encryption.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The first record of the framework being used goes as far back as April 2018 and since then it has been used to “aggressively to infiltrate corporate entities around the world”, including to steal customer lists and distribute ransomware.

Read This: Trojan Mobile Banking Malware Bot with ‘Enormous Scope’ Uncovered by Researchers

Kacey Clark, threat researcher at cyber security company Digital Shadows, told Computer Business Review: “To date, reporting suggests that MATA has actively been used to target victims in various sectors, such as e-commerce and technology, across Germany, India, Japan, Korea, Turkey, and Poland.”


Multi-Platform Malware Framework

Pic @ Kaspersky Labs


“Researchers have suggested that the links to Lazarus are due to the discovery of two unique filenames in MATA that have only previously been seen in malware associated with Lazarus. The links between Lazarus and MATA are tentative at this stage.”

VHD Ransomware

Kaspersky said it also found evidence in some MATA attacks of a particularly nasty ransomware called VHD ransomware.

Not only does this encrypt all data on the PC with the strongest encryption method, it removes all shadow copies of files and system restore points, to prevent the user from recovering anything on their own, and changes the file extension to .vhd, which makes the files permanently inoperative.

Indicators of Compromise can be found here


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.