targeted attacks MATA: A multiplatform malware framework Our experts detected a malware framework that cybercriminals use to attack various operating systems. Hugh Aver July 22, 2020 The cybercriminal tool set is constantly evolving. The latest example: the malicious MATA framework our experts recently uncovered. Cybercriminals were using it to attack corporate infrastructures around the world. It can work under various operating systems, and it boasts a wide range of malicious tools. Potentially, malefactors can use MATA for a wide variety of criminal purposes. However, in the cases we analyzed, the cybercriminals were attempting to find and steal data from client databases in victims’ infrastructure. In at least one case, they also used MATA to spread ransomware (our experts promise a separate study of that incident). The attackers’ sphere of interest was fairly wide. Among the identified victims of MATA were software developers, Internet providers, e-commerce sites, and others. The attack geography was also quite extensive — we detected traces of the group’s activity in Poland, Germany, Turkey, Korea, Japan, and India. Why do we call MATA a framework? MATA is not simply a feature-rich piece of malware. It is a kind of constructor for loading tools as and when required. Let’s start with the fact that MATA can attack computers running the three most popular operating systems: Windows, Linux, and macOS. Windows First, our experts detected MATA attacks targeting Windows machines. They take place in several stages. In the beginning, MATA operators ran a loader on the victim’s computer that deployed the so-called orchestrator module, which, in turn, downloaded modules capable of a variety of malicious functions. Depending on the characteristics of the specific attack scenario, the modules could be loaded from a remote HTTP or HTTPS server, from an encrypted file on the hard drive, or transferred through the MataNet infrastructure over a TLS 1.2 connection. The assorted MATA plug-ins can: Run cmd.exe /c or powershell.exe with additional parameters and collect responses to these commands; Manipulate processes (remove, create, etc.); Check for a TCP connection with a specific address (or range of addresses); Create an HTTP proxy server waiting for incoming TCP connections; Manipulate files (write data, send, delete content, etc.); Inject DLL files into running processes; Connect to remote servers. Linux and macOS On further investigation, our experts found a similar set of tools for Linux. In addition to the Linux version of the orchestrator and plug-ins, it contained the legitimate command-line utility Socat and scripts for exploiting the vulnerability CVE-2019-3396 in Atlassian Confluence Server. The set of plug-ins is somewhat different from that for Windows. In particular, there is an extra plug-in through which MATA tries to establish a TCP connection using port 8291 (used to administer devices running RouterOS) and port 8292 (used in Bloomberg Professional software). If the attempt to establish a connection is successful, the plug-in transfers the log to the C&C server. Presumably, the function serves to locate new targets. As for macOS tools, they were found in a Trojanized application based on open-source software. In terms of functionality, the macOS version was almost identical to its Linux cousin. You’ll find a detailed technical description of the framework, along with indicators of compromise, in the relevant post on Securelist. How to protect yourself? Our experts link MATA to the Lazarus APT group, and the attacks carried out with this framework are definitely targeted ones. Researchers are certain MATA will continue to evolve. Therefore, we recommend even small companies think about deploying advanced technologies to guard against not only mass threats, but more complex ones as well. Specifically, we offer an integrated solution that combines Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) functionality with additional tools. You can learn more about it on our website.
Read next Transatlantic Cable podcast, episode 152 On this episode of the podcast, Dave and Jeff discuss a new damaging attack, China’s proposal for a new Internet, parenting in the digital age, Lego, and more.
Tips How to set up security and privacy in Strava Want to keep your runs, rides, and hikes private on Strava? This guide will walk you through the essential privacy settings in this popular fitness app.
Tips Run for your data: Privacy settings in jogging apps Running apps know a lot about their users, so it’s worth setting them up to ensure your data doesn’t fall into the wrong hands. Here’s how.
Tips When you get a login code for an account you don’t have What to do if you receive a text with a two-factor authentication code from a service you’ve never registered for.
Tips School and cyberthreats Why cybersecurity in education is critical, and how to protect schools from attacks.