Monday, October 23, 2023
HomeCyber SecurityRefined MATA Framework Strikes Japanese European Oil and Fuel Firms

Refined MATA Framework Strikes Japanese European Oil and Fuel Firms

MATA Framework

An up to date model of a complicated backdoor framework referred to as MATA has been utilized in assaults aimed toward over a dozen Japanese European firms within the oil and gasoline sector and protection business as a part of a cyber espionage operation that happened between August 2022 and Might 2023.

“The actors behind the assault used spear-phishing mails to focus on a number of victims, some had been contaminated with Home windows executable malware by downloading information by way of an web browser,” Kaspersky mentioned in a brand new exhaustive report revealed this week.

“Every phishing doc incorporates an exterior hyperlink to fetch a distant web page containing a CVE-2021-26411 exploit.”

CVE-2021-26411 (CVSS rating: 8.8) refers to a reminiscence corruption vulnerability in Web Explorer that may very well be triggered to execute arbitrary code by tricking a sufferer into visiting a specifically crafted web site. It was beforehand exploited by the Lazarus Group in early 2021 to focus on safety researchers.

The cross-platform MATA framework was first documented by the Russian cybersecurity firm in July 2020, linking it to the prolific North Korean state-sponsored crew in assaults focusing on numerous sectors in Poland, Germany, Turkey, Korea, Japan, and India since April 2018.

Using a revamped model of MATA to strike protection contractors was beforehand disclosed by Kaspersky in July 2023, though attribution to the Lazarus Group stays tenuous at finest as a result of presence of strategies utilized by 5 Eyes APT actors comparable to Purple Lambert, Magenta Lambert, and Inexperienced Lambert.


That mentioned, a majority of the malicious Microsoft Phrase paperwork created by the attackers characteristic a Korean font referred to as Malgun Gothic, suggesting that the developer is both aware of Korean or works in a Korean setting.

Russian cybersecurity firm Constructive Applied sciences, which shared particulars of the identical framework late final month, is monitoring the operators underneath the moniker Darkish River.

“The group’s most important instrument, the MataDoor backdoor, has a modular structure, with a posh, totally designed system of community transports and versatile choices for communication between the backdoor operator and an contaminated machine,” safety researchers Denis Kuvshinov and Maxim Andreev mentioned.

“The code evaluation means that the builders invested appreciable assets into the instrument.”

The newest assault chains start with the actor sending spear-phishing paperwork to targets, in some instances by impersonating reliable staff, indicating prior reconnaissance and intensive preparation. These paperwork embrace a hyperlink to an HTML web page that embeds an exploit for CVE-2021-26411.

A profitable compromise results in the execution of a loader that, in flip, retrieves a Validator module from a distant server to ship system data and obtain and add information to and from the command-and-control (C2) server.

The Validator can be designed to fetch MataDoor, which, in keeping with Kasperksy, is MATA technology 4 that is outfitted to run a variety of instructions able to gathering delicate data from compromised methods.

The assaults are additional characterised by means of stealer malware to seize content material from clipboard, document keystrokes, take screenshots, and siphon passwords and cookies from the Home windows Credential Supervisor and Web Explorer.

One other noteworthy instrument is a USB propagation module that enables for sending instructions to the contaminated system by way of detachable media, seemingly enabling the risk actors to infiltrate air-gapped networks. Additionally employed is an exploit referred to as CallbackHell to raise privileges and bypass endpoint safety merchandise in order to attain their targets with out attracting consideration.


Kaspersky mentioned it additionally found a brand new MATA variant, dubbed MATA technology 5 or MATAv5, that is “fully rewritten from scratch” and “reveals a complicated and sophisticated structure making use of loadable and embedded modules and plugins.”

“The malware leverages inter-process communication (IPC) channels internally and employs a various vary of instructions, enabling it to determine proxy chains throughout numerous protocols – additionally inside the sufferer’s setting,” the corporate added.

In complete, the MATA framework and its cocktail of plugins incorporate assist for over 100 instructions pertaining to data gathering, occasion monitoring, course of administration, file administration, community reconnaissance, and proxy performance.

“The actor demonstrated excessive capabilities of navigating by way of and leveraging safety options deployed within the sufferer’s setting,” Kaspersky mentioned.

“Attackers used many strategies to cover their exercise: rootkits and susceptible drivers, disguising information as reliable functions, utilizing ports open for communication between functions, multi-level encryption of information and community exercise of malware, [and] setting lengthy wait instances between connections to regulate servers.”

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments