An updated version of the MATA backdoor framework was spotted in attacks between August 2022 and May 2023, targeting oil and gas firms and the defense industry in Eastern Europe. The attacks employed spear-phishing emails to trick targets into downloading malicious executables that exploit CVE-2021-26411 in Internet Explorer to initiate the infection chain. The updated MATA framework combines a loader, a main trojan, and an infostealer to backdoor and gain persistence in targeted networks. The MATA version in these attacks is similar to previous versions linked to the North Korean Lazarus hacking group but with updated capabilities. Notably, spreading malware across all reachable corners of the corporate network occurs by breaching security compliance solutions and exploiting their flaws. The cybersecurity company discovered the activity in September 2022 after examining two MATA samples communicating with command and control servers inside breached organization networks. The hackers abused the access to the security software admin panel to perform surveillance on the organization's infrastructure and to disseminate malware to its subsidiaries. In applicable cases where the targets were Linux servers, the attackers employed a Linux variant of MATA in the form of an ELF file, which appears to be similar in functionality to the third generation of the Windows implant. Kaspersky says it sampled three new versions of the MATA malware: one evolved from the second generation seen in past attacks, a second dubbed 'MataDoor,' and a third that was written from scratch. The latest version of MATA comes in DLL form and features extensive remote control capabilities, supports multi-protocol connections to the control servers, and supports proxy server chains. The 23 commands supported by MATA fifth generation include actions to set up connectivity, perform management of the implant, and retrieve information. 0x007: Returns detailed system and malware information, encryption keys, plugin paths, etc. Additional plugins loaded onto the malware allow it to launch another 75 commands related to information gathering, process management, file management, network reconnaissance, proxy functionality, and remote shell execution. Although Kaspersky previously associated MATA with the North Korean state-backed hacking group Lazarus, the cybersecurity firm has trouble associating the recently observed activity with high confidence. Although there are still apparent links to Lazarus activity, the newer MATA variants and techniques such as TTLV serialization, multilayered protocols, and handshake mechanisms resemble more closely those of 'Five Eyes' APT groups like Purple, Magenta, and Green Lambert. The deployment of multiple malware frameworks and MATA framework versions in a single attack is very uncommon, indicating a particularly well-resourced threat actor. For more technical information on MATA malware and the techniques used in the latest attacks, check out Kaspersky's full report here. SpyNote Android malware spreads via fake volcano eruption alerts. Qubitstrike attacks rootkit Jupyter Linux servers to steal credentials. Discord still a hotbed of malware activity - Now APTs join the fun.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000