Capable of targeting Windows, Linux, and macOS operating systems, the MATA malware framework — so-called because of the authors' reference to the infrastructure as "MataNet" — comes with a wide range of features designed to carry out a variety of malicious activities on infected machines.
The MATA campaign is said to have begun as early as April of 2018, with the victimology traced to unnamed companies in software development, e-commerce and internet service provider sectors situated in Poland, Germany, Turkey, Korea, Japan, and India, cybersecurity firm Kaspersky said in its Wednesday analysis.
The report offers a comprehensive look at the MATA framework, while also building on previous evidence gathered by researchers from Netlab 360, Jamf, and Malwarebytes over the past eight months.
Last December, Netlab 360 disclosed a fully functional remote administration Trojan (RAT) called Dacls targeting both Windows and Linux platforms that shared key infrastructure with that operated by the Lazarus Group.
Then in May, Jamf and Malwarebytes uncovered a macOS variant of Dacls RAT that was distributed via a trojanized two-factor authentication (2FA) app.
In the latest development, the Windows version of MATA consists of a loader used to load an encrypted next-stage payload — an orchestrator module ("lsass.exe") capable of loading 15 additional plugins at the same time and executing them in memory.
The plugins themselves are feature-rich, boasting features that allow the malware to manipulate files and system processes, inject DLLs, and create an HTTP proxy server.
MATA plugins also allow hackers to target Linux-based diskless network devices such as routers, firewalls or IoT devices, and macOS systems by masquerading as a 2FA app called TinkaOTP, which is based on an open-source two-factor authentication application named MinaOTP.
Once the plugins were deployed, the hackers then tried to locate the compromised company's databases and execute several database queries to acquire customer details. It's not immediately clear if they were successful in their attempts. Furthermore, Kaspersky researchers said MATA was used to distribute VHD ransomware to one anonymous victim.
Kaspersky said it linked MATA to the Lazarus Group based on the unique file name format found in the orchestrator ("c_2910.cls" and "k_3872.cls"), which has been previously seen in several variants of the Manuscrypt malware.
The state-sponsored Lazarus Group (also called Hidden Cobra or APT38) has been linked to many major cyber offensives, including the Sony Pictures hack in 2014, the SWIFT banking hack in 2016, and the WannaCry ransomware infection in 2017.
The hacking crew's penchant for carrying out financially motivated attacks led the U.S. Treasury to sanction the group and its two off-shoots, Bluenoroff and Andariel, last September.