Reader Advisory

Some articles posted in The SlickMaster's Files may contain themes, languages, and content which may neither appropriate nor appealing to certain readers. READER DISCRETION is advised.

17 August 2020

Lazarus group strikes anew with OS targeting-malware MATA

08/08/2020 07:37:42 PM

Lazarus strikes again.

The well-recognized and prolific group from Korean has been distinguished as the main culprit of attacks that depicted an advanced malware framework, called MATA, to target Windows, Linux, and macOS operating systems.

This realization was made by the researchers of Kaspersky.



On its press release, the cybersecurity group discussed how the known APT threat group has been employing the multi-platform malware in a series of data espionage and ransomware attacks.

One of Kaspersky's recent reports states that:

Malicious toolsets used to target multiple platforms are a rare breed, as they require significant investment from the developer. They are often deployed for long-term use, which results in increased profit for the actor through numerous attacks spread over time.
In the cases discovered by cybersecurity firm, the MATA framework was able to target three platforms – Windows, Linux and macOS – indicating that the attackers planned to use it for multiple purposes. The framework consists of several components, such as a loader, an orchestrator (which manages and coordinates the processes once a device is infected) and plugins.

Kaspersky researchers said the first artifacts found relating to MATA were used in or around April 2018, and since then, the said cyber-attackers have taken an aggressive approach to infiltrate corporate entities around the world. It was utilized for a number of attacks aimed at stealing customer databases and distributing ransomware – software designed to block access to a computer system until a sum of money is paid.


The Kaspersky telemetry has detected multiple countries ars the actors' target for this malware frameworks. Specifically, the victims are based in  Poland, Germany, Turkey, Korea, Japan,
and India. Moreover, Lazarus compromised systems in various industries, including a software development company, an e-commerce company, and an internet service provider.

Kaspersky's press releases stated that its researchers were able to link MATA to the Lazarus group, known for its sophisticated operations and links to North Korea, and for cyberespionage and financially-motivated attacks. A number of researchers, including those at Kaspersky, previously reported on this group targeting banks and other large financial enterprises, including the ATMDtrack attack and AppleJeus campaigns. This latest series of attacks suggest that the actor is continuing this type of activity.

“This series of attacks indicates that Lazarus was willing to invest significant resources into developing this toolset and widening the reach of organizations targeted – particularly in hunting for both money and data. Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on. This approach is typically found among mature APT groups,” comments Seongsu Park, a senior security researcher.

“We expect the MATA framework to be developed even further and advise organizations to pay more attention to the security of their data, as it remains one of the keys and most valuable resources that could be affected,” he adds.

In order for anyone to avoid falling victim to this malware, Kaspersky suggests the following:

Install a dedicated cybersecurity product on all Windows, Linux, and macOS endpoints, such as Kaspersky Endpoint Security for Business. This will enable protection from existing and new cyberthreats and also provides a range of cybersecurity controls for each operating system
Provide your SOC team with access to the latest Threat Intelligence to help them stay up to date with any new and emerging tools, techniques and tactics used by threat actors
Always have fresh back-up copies of business data that are quickly accessible, so you can urgently recover data that may be lost or locked due to ransomware

Read more about the MATA framework on Securelist.com

Author: slickmaster | © 2020 The SlickMaster's Files

No comments:

Post a Comment

Feel free to make a comment as long as it is within the bounds of the issue, and as long as you do it with decency. Thanks!