October 18, 2023 at 12:28PM
The MATA backdoor framework has been observed in attacks targeting oil and gas firms and the defense industry in Eastern Europe between August 2022 and May 2023. The attacks used spear-phishing emails to trick victims into downloading malicious executables that exploit a vulnerability in Internet Explorer. The updated MATA framework includes a loader, a main trojan, and an infostealer to gain persistence in targeted networks. The attacks have similarities to previous versions associated with the North Korean Lazarus hacking group but with updated capabilities. The attackers breached security compliance solutions to spread malware across the corporate network. The MATA malware also includes a Linux variant in the form of an ELF file. The latest version of MATA features extensive remote control capabilities and supports multi-protocol and proxy server chains. The attackers bypassed endpoint security tools using publicly available exploits and Bring Your Own Vulnerable Driver (BYOVD) techniques. The attribution of the attacks is unclear, but there are similarities to both Lazarus and ‘Five Eyes’ APT groups.
From the meeting notes, here are the key takeaways:
1. The MATA backdoor framework has been updated and used in attacks targeting oil and gas firms and the defense industry in Eastern Europe between August 2022 and May 2023.
2. The attacks involved spear-phishing emails and exploited CVE-2021-26411 in Internet Explorer.
3. The updated MATA framework includes a loader, a main trojan, and an infostealer for backdooring and gaining persistence in targeted networks.
4. The MATA version used in these attacks shares similarities with previous versions associated with the North Korean Lazarus hacking group but includes updated capabilities.
5. Malware is spread across corporate networks by breaching security compliance solutions and exploiting their flaws.
6. The hackers abused access to security software admin panels to perform surveillance on the targeted organization’s infrastructure and distribute malware to its subsidiaries.
7. A Linux variant of MATA was used for Linux server targets, similar in functionality to the Windows implant.
8. Kaspersky sampled three new versions of MATA: v3, evolved from the second generation, v4 called ‘MataDoor,’ and v5 written from scratch.
9. The latest version of MATA comes in DLL form and has extensive remote control capabilities, supports multi-protocol connections, and supports proxy server chains.
10. MATA supports various commands for connectivity, management, and information retrieval.
11. Additional plugins loaded onto MATA enable additional commands for information gathering, process and file management, network reconnaissance, proxy functionality, and remote shell execution.
12. The hackers used a publicly available exploit for CVE-2021-40449 (‘CallbackHell’) to bypass EDR and security tools, and if unsuccessful, they used Bring Your Own Vulnerable Driver (BYOVD) techniques.
13. Attribution of the activity is unclear, with associations to Lazarus but closer resemblances to ‘Five Eyes’ APT groups like Purple, Magenta, and Green Lambert.
14. Multiple malware frameworks and versions of the MATA framework being used in a single attack indicate a well-resourced threat actor.
For more technical information, please refer to Kaspersky’s full report.