Multifaceted MATA Malware Framework Linked to North Korea

FavoriteLoadingAdd to favorites

“Used to aggressively infiltrate corporate entities about the world”

Russian security company Kaspersky suggests it has discovered a novel new multi-platform malware framework that includes a prosperous array of loaders, orchestrators and plugins that is in a position to target Home windows, Linux and macOS functioning programs.

Dubbing it “MATA”, Kasperky joined it (arguably to some degree tenuously) to the North Korean Lazarus APT. (MATA “uses two one of a kind filenames, c_2910.cls and k_3872.cls” mentioned in the US-CERT publication on North Korean menace actors).

Worryingly, Kaspersky said the Linux version (“containing distinct MATA files jointly with a set of hacking tools”) was discovered on a genuine distribution internet site.

Kaspersky did not name the internet site or the distro. (Laptop Business Assessment has contacted the corporation for extra information and will update when we get them).

The package deal integrated a Linux instrument for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396), a genuine socat instrument and a Linux version of the MATA orchestrator bundled jointly with a set of plugins. (China-based mostly security vendor Netlab has also published a detailed blog site on this malware.)

The orchestrator malware loads encrypted configuration data from a registry key and decrypts it with the AES algorithm, Kaspersky said. It can then go on to load fifteen plugins at the identical time. There are three strategies to load them:

  • Obtain the plugin from the specified HTTP or HTTPS server
  • Load the AES-encrypted plugin file from a specified disk route
  • Obtain the plugin file from the existing MataNet link

“For covert conversation, they hire TLS1.2 connections with the enable of the “” open up supply library, which is statically joined inside this module”, Kaspersky’s scientists said. “Additionally, the traffic involving MataNet nodes is encrypted with a random RC4 session key. MataNet implements both shopper and server mode. In server mode the certification file “c_2910.cls” and the non-public key file “k_3872.cls” are loaded for TLS encryption.”

The initial file of the framework becoming employed goes as considerably again as April 2018 and considering that then it has been employed to “aggressively to infiltrate corporate entities about the world”, like to steal client lists and distribute ransomware.

Read through This: Trojan Cell Banking Malware Bot with ‘Enormous Scope’ Uncovered by Researchers

Kacey Clark, menace researcher at cyber security corporation Digital Shadows, advised Laptop Business Assessment: “To date, reporting suggests that MATA has actively been employed to target victims in several sectors, these kinds of as e-commerce and technological know-how, across Germany, India, Japan, Korea, Turkey, and Poland.”


Multi-Platform Malware Framework
Pic @ Kaspersky Labs


“Researchers have recommended that the backlinks to Lazarus are owing to the discovery of two one of a kind filenames in MATA that have only previously been viewed in malware involved with Lazarus. The backlinks involving Lazarus and MATA are tentative at this stage.”

VHD Ransomware

Kaspersky said it also discovered proof in some MATA attacks of a specially nasty ransomware called VHD ransomware.

Not only does this encrypt all data on the Personal computer with the strongest encryption technique, it gets rid of all shadow copies of files and method restore factors, to avert the user from recovering something on their have, and changes the file extension to .vhd, which will make the files forever inoperative.

Indicators of Compromise can be discovered in this article.