The North Korean hacking group Lazarus has launched several high-profile attacks over the past few years to fulfill its financial motives. Recently, the group has been observed expanding its arsenal with TFlower ransomware in a double extortion campaign.

Diving into details

Sygnia researchers have reported the use of the MATA framework by the Lazarus Group to deliver TFlower ransomware in the campaign.

  • With a new and so far undocumented variant of MATA and TFlower, the recent Lazarus campaign has targeted a dozen victims for data exfiltration or extortion.
  • The MATA malware framework is the key technical component here, which works as an advanced cross-platform malware framework.
  • Additionally, during the attack, the group has leveraged multiple tools including the MATA backdoor to evade detection.
  • Lazarus has operated and maintained an extensive C2 infrastructure while targeting multiple platforms, such as Windows, Linux, and mac, during the attack.

Conclusion

The recent report indicating a connection or collaboration between the Lazarus Group and TFlower reflects the continued effort by North Korea to scale its cyber-extortion activities.

Researchers anticipate that the group is now possibly collaborating with additional crime entities, creating such entities, outsourcing its capabilities, or selling offensive tools to other groups to achieve its financial targets.