Carding 4 Carders
Professional
- Messages
- 2,730
- Reaction score
- 1,464
- Points
- 113
Internet Explorer is a new Trojan horse for Eastern Europe.
An updated version of the MATA framework was detected in attacks targeting companies in the oil and gas sector and the defense industry in Eastern Europe from August 2022 to May 2023. This was stated by Kaspersky Lab specialists in a new report.
Attackers used specialized phishing emails to trick victims into downloading malicious files that exploit the CVE-2021-26411 (CVSS: 7.5) vulnerability in Internet Explorer to initiate an infection chain.
The updated MATA framework combines a downloader, a master Trojan, and an infostiler to provide stealth access and resilience in target networks. The new version of MATA is similar to previous versions associated with the North Korean group Lazarus, but has updated features. In particular, the spread of malware throughout the corporate network is carried out by violating security tools and exploiting their shortcomings.
In September 2022, after analyzing two MATA samples communicating with Command and Control (C2) servers inside compromised corporate networks, Kaspersky Lab detected illegal activity. Further analysis revealed that the compromised systems were financial software servers connected to multiple subsidiaries of the target organization.
As a result of the study, it turned out that hackers expanded their presence by moving from one domain controller in a production facility to the entire corporate network. In addition, the attackers gained access to two administrative panels of security solutions and used them to monitor the organization's infrastructure and distribute malware.
Experts reported three new versions of the MATA malware with different capabilities. The newest version supports:
Moreover, additional plugins loaded on the malware allow you to run 75 more commands related to information collection, process management, file management, network intelligence, proxy functionality, and remote command execution.
Other interesting findings include a new malware module that can use removable storage media such as USB to infect isolated systems, as well as various data theft tools that can capture credentials, cookies, screenshots, and clipboard contents.
It is worth noting that Kaspersky Lab previously linked MATA to the Lazarus group, but now experts are not sure about MATA's connection with this group.
An updated version of the MATA framework was detected in attacks targeting companies in the oil and gas sector and the defense industry in Eastern Europe from August 2022 to May 2023. This was stated by Kaspersky Lab specialists in a new report.
Attackers used specialized phishing emails to trick victims into downloading malicious files that exploit the CVE-2021-26411 (CVSS: 7.5) vulnerability in Internet Explorer to initiate an infection chain.
The updated MATA framework combines a downloader, a master Trojan, and an infostiler to provide stealth access and resilience in target networks. The new version of MATA is similar to previous versions associated with the North Korean group Lazarus, but has updated features. In particular, the spread of malware throughout the corporate network is carried out by violating security tools and exploiting their shortcomings.
In September 2022, after analyzing two MATA samples communicating with Command and Control (C2) servers inside compromised corporate networks, Kaspersky Lab detected illegal activity. Further analysis revealed that the compromised systems were financial software servers connected to multiple subsidiaries of the target organization.
As a result of the study, it turned out that hackers expanded their presence by moving from one domain controller in a production facility to the entire corporate network. In addition, the attackers gained access to two administrative panels of security solutions and used them to monitor the organization's infrastructure and distribute malware.
Experts reported three new versions of the MATA malware with different capabilities. The newest version supports:
- extensive remote management capabilities that allow you to monitor infected systems from a distance, performing various operations without direct intervention;
- multiple protocols (TCP, SSL, PSSL and PDTLS), which makes MATA more flexible and resistant to blocking;
- proxy (SOCKS4, SOCKS5, HTTP+web, HTTP+NTLM), which allows you to bypass network filters and hide the true location of a cybercriminal.
Moreover, additional plugins loaded on the malware allow you to run 75 more commands related to information collection, process management, file management, network intelligence, proxy functionality, and remote command execution.
Other interesting findings include a new malware module that can use removable storage media such as USB to infect isolated systems, as well as various data theft tools that can capture credentials, cookies, screenshots, and clipboard contents.
It is worth noting that Kaspersky Lab previously linked MATA to the Lazarus group, but now experts are not sure about MATA's connection with this group.
