Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,588
- Points
- 113
How did the attackers infiltrate dozens of organizations in Eastern Europe?
Kaspersky Lab researchers have discovered a large-scale malware campaign that was aimed at stealing confidential data from dozens of organizations in the defense industry and the oil and gas sector in Eastern Europe. The attackers used advanced espionage techniques and tools, including a module for penetrating isolated networks using USB drives and a Linux MATA backdoor.
The attack began in August 2022 by sending targeted phishing emails containing malicious Word documents. After that, the attackers studied the victim's corporate network, stole user authentication data, and were able to connect to the parent company's terminal server. In the parent organization, the attackers managed to repeat the success and get to the domain controller. By compromising the information systems that connect the parent company with its subsidiaries — the financial system server and the security solution control panel for checking information security requirements — the attackers gained access to the networks of several dozen subsidiaries.
To implement the attack, the attackers used three new generations of MATA malware, including a modified MATA of the second generation, as well as new versions named MataDoor and MATA of the fifth generation. Another notable component of this sophisticated attack is that the attackers also targeted servers running UNIX-like operating systems. The capture of the security solution control panel, combined with the use of the Linux version of the MATA malware, allowed attackers to gain access to almost all systems of the attacked enterprises, including those that were not part of the domain.
At the same time, in situations where it was not possible to establish direct communication with the target system, the attackers used the module to work with USB media. It allowed data exchange with isolated networks that can store potentially interesting information for intruders.
The attackers also demonstrated a high level of training and ability to bypass security solutions installed in the attacked environments. They used a variety of techniques to hide their activity, such as using rootkits, vulnerable drivers, disguising files as user applications, legitimate programs open to communication, multi-level file encryption, and network activity of malware.
The true beneficiary of the attack remains unknown. Despite the fact that most of the malicious Word documents contained the Korean font Malgun Gothic (맑은 고딕), indicating a possible connection with APT Lazarus, new versions of MATA revealed techniques that may indicate the intervention of other groups — from the Five Eyes alliance. However, these findings can be "false flags" to hide the true customer of the attack.
Kaspersky Lab researchers have discovered a large-scale malware campaign that was aimed at stealing confidential data from dozens of organizations in the defense industry and the oil and gas sector in Eastern Europe. The attackers used advanced espionage techniques and tools, including a module for penetrating isolated networks using USB drives and a Linux MATA backdoor.
The attack began in August 2022 by sending targeted phishing emails containing malicious Word documents. After that, the attackers studied the victim's corporate network, stole user authentication data, and were able to connect to the parent company's terminal server. In the parent organization, the attackers managed to repeat the success and get to the domain controller. By compromising the information systems that connect the parent company with its subsidiaries — the financial system server and the security solution control panel for checking information security requirements — the attackers gained access to the networks of several dozen subsidiaries.
To implement the attack, the attackers used three new generations of MATA malware, including a modified MATA of the second generation, as well as new versions named MataDoor and MATA of the fifth generation. Another notable component of this sophisticated attack is that the attackers also targeted servers running UNIX-like operating systems. The capture of the security solution control panel, combined with the use of the Linux version of the MATA malware, allowed attackers to gain access to almost all systems of the attacked enterprises, including those that were not part of the domain.
At the same time, in situations where it was not possible to establish direct communication with the target system, the attackers used the module to work with USB media. It allowed data exchange with isolated networks that can store potentially interesting information for intruders.
The attackers also demonstrated a high level of training and ability to bypass security solutions installed in the attacked environments. They used a variety of techniques to hide their activity, such as using rootkits, vulnerable drivers, disguising files as user applications, legitimate programs open to communication, multi-level file encryption, and network activity of malware.
The true beneficiary of the attack remains unknown. Despite the fact that most of the malicious Word documents contained the Korean font Malgun Gothic (맑은 고딕), indicating a possible connection with APT Lazarus, new versions of MATA revealed techniques that may indicate the intervention of other groups — from the Five Eyes alliance. However, these findings can be "false flags" to hide the true customer of the attack.
