Between August 2022 and May 2023, an updated version of the MATA backdoor framework was identified in attacks on oil and gas companies, as well as defense firms in Eastern Europe. The attackers used spear-phishing emails to trick victims into downloading harmful executables that exploit a vulnerability in Internet Explorer (CVE-2021-26411) to start the infection process.
The revised MATA framework combines a loader, a main trojan, and an infostealer to establish a backdoor and maintain persistence in the targeted networks. This version of MATA has similarities to previous versions attributed to the North Korean Lazarus hacking group, but with enhanced capabilities. The malware spreads throughout the corporate network by violating security compliance solutions and exploiting their weaknesses.
The malicious activity was first noticed in September 2022 after two MATA samples were found communicating with command and control servers (C2) within compromised organization networks. Subsequent analysis revealed that the compromised systems were financial software servers linked to several subsidiaries of the targeted organization. The hackers had extended their control from a single domain controller in a production plant to the entire corporate network.
The attack progressed with the hackers gaining access to two security solution admin panels, one for endpoint protection and one for compliance checks. The attackers used the access to the security software admin panel to monitor the organization's infrastructure and distribute malware to its subsidiaries. In cases where the targets were Linux servers, the attackers deployed a Linux variant of MATA.
Kaspersky identified three new versions of the MATA malware. The latest version comes in DLL form and features extensive remote control capabilities, supports connections to the control servers via multiple protocols, and supports proxy server chains. It supports 23 commands for setting up connectivity, managing the implant, and retrieving information. Additional plugins loaded onto the malware enable it to execute another 75 commands related to information gathering, process management, file management, network reconnaissance, proxy functionality, and remote shell execution.
The attackers also used a new malware module that can exploit removable storage media like USB to infect air-gapped systems. They used various stealers to capture credentials, cookies, screenshots, and clipboard contents, and bypassed EDR/security tools using a publicly available exploit for CVE-2021-40449, known as 'CallbackHell.' If this bypass method failed, they resorted to Bring Your Own Vulnerable Driver (BYOVD) techniques.
While MATA has been previously associated with the Lazarus group, Kaspersky has had difficulty attributing the recent activity with high confidence. The newer MATA variants and techniques show similarities to those of 'Five Eyes' APT groups like Purple, Magenta, and Green Lambert. The use of multiple malware frameworks and MATA versions in a single attack is rare, suggesting a highly resourced threat actor.