Researchers have uncovered a new intrusion and malware framework used by the prolific Lazarus APT group to compromise companies in several countries in Europe and Asia recently.
The framework has been in use since at least 2018 and includes modules that allow the operators to target Windows, macOS, and Linux machines. That kind of cross-platform flexibility is a relative rarity, as many advanced malware frameworks like this focus on Windows. But the Lazarus group, which is associated with the North Korean government, is known for its innovation and broad targeting and much of its attack activity is financially motivated, so cross-platform targeting would be a key advantage.
The framework is known as MATA and researchers at Kaspersky discovered that it comprises an initial loader, an orchestrator, and a number of separate plugins that the orchestrator loads and runs on compromised machines. MATA was discovered on the networks of organizations in several industries, including software, ecommerce, and an ISP, in countries including Poland, Germany, and Japan. Kaspersky’s researchers identified two file names in the MATA framework that have been seen in other malware known as Manuscrypt used by North Korean attackers in the past. There are other similarities, as well, including configuration details.
“Moreover, MATA uses global configuration data including a randomly generated session ID, date-based version information, a sleep interval and multiple C2s and C2 server addresses. We’ve seen that one of the Manuscrypt variants (ab09f6a249ca88d1a036eee7a02cdd16) shares a similar configuration structure with the MATA framework. This old Manuscrypt variant is an active backdoor that has similar configuration data such as session ID, sleep interval, number of C2 addresses, infected date, and C2 addresses. They are not identical, but they have a similar structure,” the Kaspersky analysis says.
The Windows, macOS, and Linux versions of the framework have different capabilities, and the Windows version seems to be the most extensively developed. There are many different plugins with unique capabilities and the orchestrator can load up to 15 of them at a time. The MATA plugins can create a proxy server, manipulate files on the local machine, inject DLLs into a target process, or create server connections and then forward the traffic. The Linux tool appears to target network devices such as firewalls and routers and its orchestrator and plugins are similar to the Windows version. One of the plugins is designed to send logs of specific network scans back to the C2 servers used by the MATA attackers.
“This plugin implements an interesting new feature, a “scan” command that tries to establish a TCP connection on ports 8291 (used for administration of MikroTik RouterOS devices) and 8292 (“Bloomberg Professional” software) and random IP addresses excluding addresses belonging to private networks. Any successful connection is logged and sent to the C2. These logs might be used by attackers for target selection,” the Kaspersky analysis says.
The macOS version of MATA was discovered in a trojanized version of a two-factor authentication app called Tinka OTP. Malware researchers discovered that tool, known as Dacls, several months ago and concluded that it was related to the Lazarus group, as well.
“At this point, we can readily conclude that the specimen we’re analyzing is clearly a macOS variant of the Dacls implant. Preliminary analysis and similarity to the Linux variant indicates this affords remote attackers the ability to fully control an infected system,” an analysis by macOS malware researcher Patrick Wardle says.
The Department of Homeland Security and FBI track the cyber activity of North Korean attackers closely and have published detailed reports about malware variants they use several times recently.