Russian security firm Kaspersky says it has discovered a novel new multi-platform malware framework featuring a rich array of loaders, orchestrators and plugins that is able to target Windows, Linux and macOS operating systems.
Dubbing it “MATA”, Kasperky linked it (arguably somewhat tenuously) to the North Korean Lazarus APT. (MATA “uses two unique filenames, c_2910.cls and k_3872.cls” mentioned in the US-CERT publication on North Korean threat actors).
Worryingly, Kaspersky said the Linux version (“containing different MATA files together with a set of hacking tools”) was found on a legitimate distribution site.
Kaspersky did not name the site or the distro. (Computer Business Review has contacted the company for more details and will update when we get them).
The package included a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396), a legitimate socat tool and a Linux version of the MATA orchestrator bundled together with a set of plugins. (China-based security vendor Netlab has also published a detailed blog on this malware.)
The orchestrator malware loads encrypted configuration data from a registry key and decrypts it with the AES algorithm, Kaspersky said. It can then go on to load 15 plugins at the same time. There are three ways to load them:
- Download the plugin from the specified HTTP or HTTPS server
- Load the AES-encrypted plugin file from a specified disk path
- Download the plugin file from the current MataNet connection
“For covert communication, they employ TLS1.2 connections with the help of the “openssl-1.1.0f” open source library, which is statically linked inside this module”, Kaspersky’s researchers said. “Additionally, the traffic between MataNet nodes is encrypted with a random RC4 session key. MataNet implements both client and server mode. In server mode the certificate file “c_2910.cls” and the private key file “k_3872.cls” are loaded for TLS encryption.”
Content from our partners
The first record of the framework being used goes as far back as April 2018 and since then it has been used to “aggressively to infiltrate corporate entities around the world”, including to steal customer lists and distribute ransomware.
Read This: Trojan Mobile Banking Malware Bot with ‘Enormous Scope’ Uncovered by Researchers
Kacey Clark, threat researcher at cyber security company Digital Shadows, told Computer Business Review: “To date, reporting suggests that MATA has actively been used to target victims in various sectors, such as e-commerce and technology, across Germany, India, Japan, Korea, Turkey, and Poland.”
Pic @ Kaspersky Labs
“Researchers have suggested that the links to Lazarus are due to the discovery of two unique filenames in MATA that have only previously been seen in malware associated with Lazarus. The links between Lazarus and MATA are tentative at this stage.”
VHD Ransomware
Kaspersky said it also found evidence in some MATA attacks of a particularly nasty ransomware called VHD ransomware.
Not only does this encrypt all data on the PC with the strongest encryption method, it removes all shadow copies of files and system restore points, to prevent the user from recovering anything on their own, and changes the file extension to .vhd, which makes the files permanently inoperative.
Indicators of Compromise can be found here.
