An up-to-date variation of a advanced backdoor framework known as MATA has been applied in attacks aimed at around a dozen Jap European organizations in the oil and fuel sector and defense industry as section of a cyber espionage operation that took put in between August 2022 and May perhaps 2023.
“The actors driving the attack applied spear-phishing mails to target many victims, some had been contaminated with Windows executable malware by downloading information via an internet browser,” Kaspersky explained in a new exhaustive report posted this 7 days.
“Every single phishing doc is made up of an external connection to fetch a remote website page made up of a CVE-2021-26411 exploit.”
CVE-2021-26411 (CVSS score: 8.8) refers to a memory corruption vulnerability in Internet Explorer that could be activated to execute arbitrary code by tricking a sufferer into traveling to a specifically crafted web-site. It was previously exploited by the Lazarus Group in early 2021 to concentrate on security researchers.
The cross-platform MATA framework was initial documented by the Russian cybersecurity firm in July 2020, linking it to the prolific North Korean state-sponsored crew in attacks targeting a variety of sectors in Poland, Germany, Turkey, Korea, Japan, and India considering that April 2018.
The use of a revamped variation of MATA to strike defense contractors was previously disclosed by Kaspersky in July 2023, even though attribution to the Lazarus Team remains tenuous at ideal owing to the existence of methods used by 5 Eyes APT actors such as Purple Lambert, Magenta Lambert, and Environmentally friendly Lambert.
That claimed, a bulk of the malicious Microsoft Phrase paperwork made by the attackers attribute a Korean font known as Malgun Gothic, suggesting that the developer is either familiar with Korean or is effective in a Korean setting.
Russian cybersecurity business Optimistic Technologies, which shared aspects of the similar framework late last month, is tracking the operators under the moniker Dark River.
“The group’s main software, the MataDoor backdoor, has a modular architecture, with a complicated, comprehensively intended system of network transports and adaptable options for conversation between the backdoor operator and an infected equipment,” security researchers Denis Kuvshinov and Maxim Andreev claimed.
“The code evaluation suggests that the developers invested considerable assets into the resource.”
The newest attack chains begin with the actor sending spear-phishing files to targets, in some cases by impersonating respectable workers, indicating prior reconnaissance and considerable preparing. These paperwork involve a url to an HTML web site that embeds an exploit for CVE-2021-26411.
A prosperous compromise leads to the execution of a loader that, in switch, retrieves a Validator module from a distant server to mail technique facts and down load and upload data files to and from the command-and-manage (C2) server.
The Validator is also created to fetch MataDoor, which, according to Kasperksy, is MATA generation 4 which is geared up to run a wide array of commands capable of collecting delicate info from compromised programs.
The attacks are further characterised by the use of stealer malware to capture content from clipboard, record keystrokes, acquire screenshots, and siphon passwords and cookies from the Windows Credential Manager and Internet Explorer.
An additional noteworthy tool is a USB propagation module that will allow for sending instructions to the contaminated method by means of removable media, possible enabling the danger actors to infiltrate air-gapped networks. Also used is an exploit identified as CallbackHell to elevate privileges and bypass endpoint security products so as to attain their ambitions without the need of attracting interest.
Kaspersky stated it also learned a new MATA variant, dubbed MATA generation 5 or MATAv5, that is “fully rewritten from scratch” and “exhibits an highly developed and elaborate architecture building use of loadable and embedded modules and plugins.”
“The malware leverages inter-approach conversation (IPC) channels internally and employs a various vary of instructions, enabling it to establish proxy chains throughout many protocols – also inside of the victim’s environment,” the business included.
In complete, the MATA framework and its cocktail of plugins include assist for in excess of 100 commands pertaining to facts gathering, party checking, approach administration, file administration, network reconnaissance, and proxy features.
“The actor shown superior capabilities of navigating by way of and leveraging security answers deployed in the victim’s natural environment,” Kaspersky said.
“Attackers applied many tactics to cover their activity: rootkits and susceptible motorists, disguising information as legit apps, applying ports open up for conversation amongst programs, multi-degree encryption of information and network exercise of malware, [and] environment lengthy wait times in between connections to handle servers.”
Identified this report exciting? Stick to us on Twitter and LinkedIn to examine far more unique content we post.
Some components of this report are sourced from: