MATA Malware ! All the way from North Korea

Security researchers discovered a multi-platform malware framework called “MATA” that had succeeded in targeting victims worldwide.

The Russian security firm explained in its analysis that the first artifacts pertaining to MATA emerged back in April 2018. Whoever’s behind the malware framework then used the threat to target enterprises in Poland, Germany, Turkey, Korea, Japan and India.

The targeted organizations operated in several different economic sectors. Among the victims were a software company, an e-commerce business and an Internet Service Provider (ISP).

In these campaigns, the actors responsible for MATA demonstrated that they held various intentions for attacking their victims. With one organization, for instance, the malicious actors used the framework to query the victim’s databases for the sake of acquiring customer lists. With another victim, they used their threat to distribute VHD ransomware.

Researchers came across three versions of MATA that targeted either Windows, Linux and macOS.

The Windows version consisted of several components including a loader malware and an orchestrator element. Using a hardcoded hex-string, the loader invoked an encrypted payload. This action paved the way for the orchestrator to load plugin files and execute them from memory. Those plugins gave attackers the ability to manipulate files, create an HTTP proxy server and perform other tasks.

The Linux version of MATA was available on a legitimate distribution site, while the macOS variant arrived as a trojanized two-factor authentication (2FA) application.

The security firm revealed that a variant of Manuscrypt, a malware family distributed by Lazarus, also shared a similar configuration structure with MATA.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s