North Korean Hackers Spotted Using New Multi-Platform Malware Framework #Security - The Entrepreneurial Way with A.I.

Breaking

Thursday, July 23, 2020

North Korean Hackers Spotted Using New Multi-Platform Malware Framework #Security

Lazarus Group, the notorious hacking group with ties to the North Korean regime, has unleashed a new multi-platform malware framework with an aim to infiltrate corporate entities around the world, steal customer databases, and distribute ransomware.

Capable of targeting Windows, Linux, and macOS operating systems, the MATA malware framework — so-called because of the authors' reference to the infrastructure as "MataNet" — comes with a wide range of features designed to carry out a variety of malicious activities on infected machines.

The MATA campaign is said to have begun as early as April of 2018, with the victimology traced to unnamed companies in software development, e-commerce and internet service provider sectors situated in Poland, Germany, Turkey, Korea, Japan, and India, cybersecurity firm

Kaspersky

said in its Wednesday analysis.

The report offers a comprehensive look at the MATA framework, while also building on previous evidence gathered by researchers from Netlab 360, Jamf, and Malwarebytes over the past eight months.

Last December,

Netlab 360

disclosed a fully functional remote administration Trojan (RAT) called Dacls targeting both Windows and Linux platforms that shared key infrastructure with that operated by the Lazarus Group.

Then in May,

Jamf

and

Malwarebytes

uncovered a macOS variant of Dacls RAT that was distributed via a trojanized two-factor authentication (2FA) app.

In the latest development, the Windows version of MATA consists of a loader used to load an encrypted next-stage payload — an orchestrator module ("lsass.exe") capable of loading 15 additional plugins at the same time and executing them in memory.

The plugins themselves are feature-rich, boasting features that allow the malware to manipulate files and system processes, inject DLLs, and create an HTTP proxy server.

MATA plugins also allow hackers to target Linux-based diskless network devices such as routers, firewalls or IoT devices, and macOS systems by masquerading as a 2FA app called TinkaOTP, which is based on an open-source two-factor authentication application named MinaOTP.

Once the plugins were deployed, the hackers then tried to locate the compromised company's databases and execute several database queries to acquire customer details. It's not immediately clear if they were successful in their attempts. Furthermore, Kaspersky researchers said MATA was used to distribute VHD ransomware to one anonymous victim.

Kaspersky said it linked MATA to the Lazarus Group based on the unique file name format found in the orchestrator ("c_2910.cls" and "k_3872.cls"), which has been previously seen in several variants of the

Manuscrypt malware

.

The state-sponsored Lazarus Group (also called

Hidden Cobra

or APT38) has been linked to many

major cyber offensives

, including the Sony Pictures hack in 2014, the SWIFT banking hack in 2016, and the

WannaCry ransomware

infection in 2017.

Most recently, the APT added

web skimming

to their repertoire, targeting the U.S. and European e-commerce websites to plant JavaScript-based payment skimmers.

The hacking crew's penchant for carrying out financially motivated attacks led the U.S. Treasury to

sanction the group

and its two off-shoots, Bluenoroff and Andariel, last September.

Found this article interesting? Follow THN on

Facebook

,

Twitter

and

LinkedIn

to read more exclusive content we post.



via https://www.aiupnow.com by noreply@blogger.com (Ravie Lakshmanan), Khareem Sudlow