Carding 4 Carders
Professional
Kaspersky Lab researchers report an updated version of the MATA backdoor, which was discovered during attacks between August 2022 and May 2023 targeting oil and gas companies and the defense industry in Eastern Europe.
During the campaign, targeted phishing emails were used to force victims to download malicious executable files, which, in turn, initiated a chain of infections using CVE-2021-26411 in Internet Explorer.
The updated MATA platform combines a bootloader, a master Trojan, and an infocrad for backdoors and resilience in targeted networks. Moreover, the version of MATA in these attacks was similar to the previous ones related to the North Korean Lazarus, but with new features.
Malicious activity came to the attention of researchers in September 2022 after studying two samples of MATA interacting with C2 inside the organization's hacked networks, which were financial software servers connected to numerous subsidiaries of the target organization.
The investigation showed that hackers consistently expanded their area of influence from a single domain controller in a production enterprise to the entire corporate network.
The attack continued and hackers gained access to two admin panels of the security solution: one to protect endpoints, and the other to verify compliance, using it to monitor the organization's infrastructure and distribute malware to its subsidiaries.
In appropriate cases, when Linux servers were targeted, the attackers used a variant of MATA for Linux in the form of an ELF file, which is similar in functionality to the 3rd generation of the Windows implant.
Kaspersky Lab studied three new versions of MATA: one (v3) originated from the second generation that was observed in previous attacks, the second (v4) was called MataDoor, and the third (v5) was written from scratch.
The latest version of MATA is delivered as a DLL and has advanced remote management capabilities, supports multiprotocol (TCP, SSL, PSSL, PDTLS) connections to management servers, and supports proxies (SOCKS4, SOCKS5, HTTP+web, HTTP+NTLM) for server chaining.
23 fifth-generation MATA commands include actions for configuring connectivity, managing the implant, and retrieving information, and additional plugins allow you to run 75 more commands related to information collection, process and file management, network intelligence, proxy functions, and remote shell execution.
Other interesting findings include a new malware module that can use removable storage media to infect isolated systems, various infostillers that can intercept credentials, cookies, screenshots, and clipboard contents, as well as EDR/security bypass tools.
Researchers report that hackers circumvented EDR and security tools by using a publicly available exploit for CVE-2021-40449, dubbed CallbackHell. If this workaround method didn't work, they switched to previously documented BYOVD methods.
Despite the fact that LC has previously linked MATA to Lazarus, it is difficult for researchers to link the recently observed activity with a high degree of confidence.
New MATA variants and techniques, such as TTLV serialization, layered protocols, and handshake mechanisms, are more similar to those used in Purple, Magenta, and Green Lambert.
In addition, deploying multiple malware frameworks and versions of the MATA framework in a single attack is very rare, which indicates a sufficiently resourceful attacker.
Additional technical information is available in the full report (pdf).
During the campaign, targeted phishing emails were used to force victims to download malicious executable files, which, in turn, initiated a chain of infections using CVE-2021-26411 in Internet Explorer.
The updated MATA platform combines a bootloader, a master Trojan, and an infocrad for backdoors and resilience in targeted networks. Moreover, the version of MATA in these attacks was similar to the previous ones related to the North Korean Lazarus, but with new features.
Malicious activity came to the attention of researchers in September 2022 after studying two samples of MATA interacting with C2 inside the organization's hacked networks, which were financial software servers connected to numerous subsidiaries of the target organization.
The investigation showed that hackers consistently expanded their area of influence from a single domain controller in a production enterprise to the entire corporate network.
The attack continued and hackers gained access to two admin panels of the security solution: one to protect endpoints, and the other to verify compliance, using it to monitor the organization's infrastructure and distribute malware to its subsidiaries.
In appropriate cases, when Linux servers were targeted, the attackers used a variant of MATA for Linux in the form of an ELF file, which is similar in functionality to the 3rd generation of the Windows implant.
Kaspersky Lab studied three new versions of MATA: one (v3) originated from the second generation that was observed in previous attacks, the second (v4) was called MataDoor, and the third (v5) was written from scratch.
The latest version of MATA is delivered as a DLL and has advanced remote management capabilities, supports multiprotocol (TCP, SSL, PSSL, PDTLS) connections to management servers, and supports proxies (SOCKS4, SOCKS5, HTTP+web, HTTP+NTLM) for server chaining.
23 fifth-generation MATA commands include actions for configuring connectivity, managing the implant, and retrieving information, and additional plugins allow you to run 75 more commands related to information collection, process and file management, network intelligence, proxy functions, and remote shell execution.
Other interesting findings include a new malware module that can use removable storage media to infect isolated systems, various infostillers that can intercept credentials, cookies, screenshots, and clipboard contents, as well as EDR/security bypass tools.
Researchers report that hackers circumvented EDR and security tools by using a publicly available exploit for CVE-2021-40449, dubbed CallbackHell. If this workaround method didn't work, they switched to previously documented BYOVD methods.
Despite the fact that LC has previously linked MATA to Lazarus, it is difficult for researchers to link the recently observed activity with a high degree of confidence.
New MATA variants and techniques, such as TTLV serialization, layered protocols, and handshake mechanisms, are more similar to those used in Purple, Magenta, and Green Lambert.
In addition, deploying multiple malware frameworks and versions of the MATA framework in a single attack is very rare, which indicates a sufficiently resourceful attacker.
Additional technical information is available in the full report (pdf).
