MATA: A multiplatform malware framework

Our experts detected a malware framework that cybercriminals use to attack various operating systems.

The cybercriminal tool set is constantly evolving. The latest example: the malicious MATA framework our experts recently uncovered. Cybercriminals were using it to attack corporate infrastructures around the world. It can work under various operating systems, and it boasts a wide range of malicious tools.

Potentially, malefactors can use MATA for a wide variety of criminal purposes. However, in the cases we analyzed, the cybercriminals were attempting to find and steal data from client databases in victims’ infrastructure. In at least one case, they also used MATA to spread ransomware (our experts promise a separate study of that incident).

The attackers’ sphere of interest was fairly wide. Among the identified victims of MATA were software developers, Internet providers, e-commerce sites, and others. The attack geography was also quite extensive — we detected traces of the group’s activity in Poland, Germany, Turkey, Korea, Japan, and India.

Why do we call MATA a framework?

MATA is not simply a feature-rich piece of malware. It is a kind of constructor for loading tools as and when required. Let’s start with the fact that MATA can attack computers running the three most popular operating systems: Windows, Linux, and macOS.

Windows

First, our experts detected MATA attacks targeting Windows machines. They take place in several stages. In the beginning, MATA operators ran a loader on the victim’s computer that deployed the so-called orchestrator module, which, in turn, downloaded modules capable of a variety of malicious functions.

Depending on the characteristics of the specific attack scenario, the modules could be loaded from a remote HTTP or HTTPS server, from an encrypted file on the hard drive, or transferred through the MataNet infrastructure over a TLS 1.2 connection. The assorted MATA plug-ins can:

  • Run cmd.exe /c or powershell.exe with additional parameters and collect responses to these commands;
  • Manipulate processes (remove, create, etc.);
  • Check for a TCP connection with a specific address (or range of addresses);
  • Create an HTTP proxy server waiting for incoming TCP connections;
  • Manipulate files (write data, send, delete content, etc.);
  • Inject DLL files into running processes;
  • Connect to remote servers.

Linux and macOS

On further investigation, our experts found a similar set of tools for Linux. In addition to the Linux version of the orchestrator and plug-ins, it contained the legitimate command-line utility Socat and scripts for exploiting the vulnerability CVE-2019-3396 in Atlassian Confluence Server.

The set of plug-ins is somewhat different from that for Windows. In particular, there is an extra plug-in through which MATA tries to establish a TCP connection using port 8291 (used to administer devices running RouterOS) and port 8292 (used in Bloomberg Professional software). If the attempt to establish a connection is successful, the plug-in transfers the log to the C&C server. Presumably, the function serves to locate new targets.

As for macOS tools, they were found in a Trojanized application based on open-source software. In terms of functionality, the macOS version was almost identical to its Linux cousin.

You’ll find a detailed technical description of the framework, along with indicators of compromise, in the relevant post on Securelist.

How to protect yourself?

Our experts link MATA to the Lazarus APT group, and the attacks carried out with this framework are definitely targeted ones. Researchers are certain MATA will continue to evolve. Therefore, we recommend even small companies think about deploying advanced technologies to guard against not only mass threats, but more complex ones as well. Specifically, we offer an integrated solution that combines Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) functionality with additional tools. You can learn more about it on our website.

Tips