October 19, 2023 at 10:21AM
The MATA backdoor framework has been used in a cyber espionage operation targeting Eastern European companies in the oil and gas sector and defense industry. Spear-phishing emails were used to deliver malware, exploiting a vulnerability in Internet Explorer. The MATA framework is linked to the Lazarus Group and a new variant, MATAv5, has been discovered. The attackers employed various techniques to hide their activity and show advanced capabilities in navigating security solutions.
Key takeaways from the meeting notes:
1. A sophisticated backdoor framework called MATA has been used in cyber espionage attacks against Eastern European companies in the oil and gas sector and defense industry. The attacks took place between August 2022 and May 2023.
2. The attackers used spear-phishing emails to target victims, infecting them with Windows executable malware through file downloads.
3. The phishing documents included an external link to fetch a remote page containing an exploit for CVE-2021-26411, a memory corruption vulnerability in Internet Explorer.
4. The MATA framework, first documented by a Russian cybersecurity company in July 2020, has been used by North Korean state-sponsored actors in previous attacks targeting various sectors in Poland, Germany, Turkey, Korea, Japan, and India since April 2018.
5. The attackers behind the MATA framework have targeted defense contractors, and the use of the framework in these attacks was previously disclosed in July 2023.
6. The malicious Microsoft Word documents used by the attackers feature a Korean font called Malgun Gothic, suggesting a Korean connection.
7. Positive Technologies is tracking the MATA framework operators under the name Dark River.
8. The MATA framework’s main tool is the MataDoor backdoor, which has a modular architecture and a sophisticated system of network transports for communication between the backdoor operator and the infected machine.
9. The attacks start with spear-phishing documents that contain a link to an HTML page with an exploit for CVE-2021-26411. A successful compromise leads to the execution of a loader, which retrieves a Validator module and the MataDoor, capable of gathering sensitive information from compromised systems.
10. The attacks also utilize stealer malware to capture content, record keystrokes, and steal passwords and cookies. They employ a USB propagation module for air-gapped network infiltration and an exploit called CallbackHell to bypass endpoint security products and elevate privileges.
11. A new variant of the MATA framework, MATA generation 5 or MATAv5, has been discovered, which has been completely rewritten and exhibits an advanced and complex architecture.
12. The MATA framework supports over 100 commands related to information gathering, event monitoring, process management, file management, network reconnaissance, and proxy functionality.
13. The attackers demonstrated advanced capabilities in navigating and evading security solutions, using techniques such as rootkits, file disguises, encryption, and setting long wait times between connections to control servers.