Lazarus Group is back with a new multi-platform malware framework, MATA

Hello, guys! How’s everybody doing? 

Today’s blog is all about North Korean hackers and what they’re up to lately. As usual and just like all hackers, they’re up to no good. Recently, Lazarus Group - an APT group that is associated with the North Korean regime - has released a new multi-platform malware framework, which they’ve been actively using.  The goal of this framework is to gatecrash corporate entities worldwide, carry out data theft customer databases, and disseminate ransomware. 

What’s the framework all about?

This framework is called the MATA malware framework. It’s called so because the authors have referred to the infrastructure as “MataNet”. It targets Windows, Linux, and macOS operating systems and has an impressive spectrum of features to perform malicious activities on infected victim machines. 

Cybersecurity firm Kaspersky says the MATA campaign began as early as April 2018. Their analysis report states that some of the victims are unnamed companies from software development, e-commerce, and internet service provider (ISP) sectors located in different parts of the world - Poland, India, Germany, Korea, Turkey, and Japan.


Figure 1: Victims of MATA framework

Kaspersky has produced a thorough report in analyzing the MATA framework. Their analysis includes former evidence collected by researchers from Netlab 360, Jamf, and Malwarebytes over the past 8 months.

December 2017

  • Netlab 360 disclosed a fully functional remote administration Trojan (RAT) called Dacls. This RAT targets both Windows and Linux platforms that share key infrastructure with that operated by the Lazarus Group.

May 2020

  • Jamf and Malwarebytes uncovered a macOS variant of Dacls RAT that was distributed via a trojanized two-factor authentication (2FA) application, MinaOTP.


What’s the latest development?


Figure 2: How the loader in the MATA framework works

There’s a loader in the Windows version of MATA whose function is to load an encrypted next-stage payload. This next-stage payload is an orchestrator module named “lsass.exe” that is capable of loading 15 additional plugins simultaneously and executing them in the memory. 

The features of these plugins include allowing the malware to manipulate files and system processes, injecting DLLs, and creating an HTTP proxy server. Besides that, these MATA plugins will also enable hackers to aim Linux-based diskless network devices such as routers, firewalls or IoT devices, and macOS systems by masquerading as a 2FA application called TinkaOTP - which is based on an open-source two-factor authentication application named MinaOTP.

Kaspersky’s researchers note that hackers tried locating compromised corporate entity’s databases and executing a number of database queries - upon plugin deployment - to get a hold of customer details. However, it’s not clear if the hackers were successful in their efforts. The cybersecurity firm also discovered MATA’s involvement in the distribution of VHD ransomware to an unnamed victim. 

A unique file name format ("c_2910.cls" and "k_3872.cls”) found in the orchestrator is the link that ties MATA to the notorious Lazarus Group. Apparently, this file format has formerly been observed in a number of variants of the Manuscrypt malware. 

Lazarus Group

Otherwise known as Hidden Cobra or APT38, this state-sponsored threat actor is associated with several extensive cyber crimes. These cyber crimes include the Sony Pictures hack in 2014, the SWIFT banking hack in 2016, and the WannaCry ransomware infection in 2017.

Web skimming is the most recent addition to Lazarus Group’s cyber crime profile in which they target U.S. and European e-commerce websites to plant JavaScript-based payment skimmers.


Web skimming is a common class of attacks generally aimed at online shoppers where malicious code is injected into the compromised site, which collects and sends user-entered data to a cyber criminal resource. If the attack is successful, the cyber criminals gain access to shoppers’ payment information.

Most recently, the APT added web skimming to their repertoire, targeting the U.S. and European e-commerce websites to plant JavaScript-based payment skimmers.

In September 2019, the U.S. Treasury sanctioned 3 North Korean APT groups - Lazarus Group, Bluenoroff, Andariel - for carrying out financially motivated attacks. 


That’s it for the blog today, y’all! I hope my non-technical readers found the additional notes I made for them useful. Feel free to drop comments and share this blog if you found it useful.

Stay safe and stay tuned. 

Until next time, friends!

Credits: The Hacker News

Add comment