The MATA framework contains several components, including loader, orchestrator, and plugins, and is capable of targeting Windows, Linux and macOS. It is a depiction of how quickly threat actors adapt their attack strategies in consonance with the evolving complexity of the IT and OT environments.
According to the report, the first artefacts related to MATA were used around April 2018. After that, the threat actor behind the framework utilized it aggressively to infiltrate corporate entities around the world. After an analysis based on Kaspersky’s telemetry, the team successfully defined the purpose of MATA.
The Windows Version of the MATA Framework
The researchers’ telemetry shows that the threat actor utilized a loader malware to load an encrypted next-stage payload.
“We’re not sure that the loaded payload is the orchestrator malware, but almost all victims have the loader and orchestrator on the same machine,” the researchers explained.
As for the plugins, the orchestrator can load 15 plugins simultaneously in 3 different ways:
Download the plugin from the specified HTTP or HTTPS server
Load the AES-encrypted plugin file from a specified disk path
Download the plugin file from the current MataNet connection
The name of the framework comes from the name the malicious actors use to call the entire infrastructure – MataNet. TLS1.2 connections are used for covert communications, along with the “openssl-1.1.0f” open source library, statically linked inside this module.
Additionally, the traffic between MataNet nodes is encrypted with a random RC4 session key. MataNet implements both client and server mode. In server mode the certificate file “c_2910.cls” and the private key file “k_3872.cls” are loaded for TLS encryption. However, this mode is never used.
Non-Windows Versions of the MATA Framework
The researchers also discovered another package that contained other MATA files combined with a set of hacking tools. This package resided on a legitimate distribution site, which is most likely the way the malware was being spread.
The package contained a Windows MATA orchestrator, a Linux tool for listing folders, scripts for exploring Atlassian Confluence Server via the CVE-2019-3396 vulnerability, a legitimate socat tool, and a Linux version of the MATA orchestrator bundled with plugins.
The researchers also came across malware designed to target macOS. The malware was uploaded to VirusTotal on April 8, 2020. “The malicious Apple Disk Image file is a Trojanized macOS application based on an open-source two-factor authentication application named MinaOTP,” the report said.
Lazarus Hacking Group
In December 2019, a new macOS Trojan was uncovered, which was highly likely developed by the Lazarus hacking group. The malware was analyzed by Patrick Wardle. Wardle’s analysis showed that the malware had a postinstall script that installed the vip.unioncrypto.plist launch daemon to achieve persistence.
The Lazarus hacking group is believed to be operating from North Korea and has been known for planning elaborate campaigns against high-profile targets. Their first attacks were against South Korean institutions using distributed denial-of-service attacks back in 2009 and 2012.
The group is known for using large networks of botnet nodes. In most cases, these networks are made of hacked computers.