MATA – Threat Actor Lazarus’ Malware Framework


Friday, July 24th, 2020 |

Researchers at SecureList have recently found evidence of a malware framework being utilized by APT threat actor Lazarus. The framework has been created in such a way that it can be used to attack Windows, Mac, and Linux systems, and several victims have been identified in Germany, Poland, Turkey, Korea, Japan, and India. While the he goals behind the framework seems to be malware and ransomware distribution as well as data exfiltration, the goal seems to shift depending on the target being attacked. In one attack, after deploying the MATA malware and its plugins, the threat actor attempted to find and compromise its victims’ databases and executed several queries in order to acquire customer lists. For another victim, the framework was used to distribute ransomware, a favorite of the Lazarus group. The threat actor behind MATA has used the framework to attack a wide swath of industries, including an ISP, and ecommerce company, as well as a software development company.

Artifacts from the framework were first discovered in early 2018 and have since evolved, allowing threat actors to compromise multiple corporations around the world. The Windows version of the framework contains multiple components; including a loader that will be used to load the orchestrator, a C2 server for the orchestrator to receive commands which will then be used to load and execute a variety of plugins to launch attacks. 15 plugins can be loaded at the same time, through one of three ways:

  • Download the plugin from the specified HTTP or HTTPS server
  • Load the AES-encrypted plugin file from a specified disk path
  • Download the plugin file from the current MataNet connection (the term ‘MataNet’ was found within the configuration files for the malware as the name given to it by its authors)

The plugins loaded by the orchestrator are a DLL file type that provides an interface for the orchestrator and provides a wide array of functionality that can control infected machines, some of which can be found below.

MATA_Plug_Cmd.dllRun “cmd.exe /c” or “powershell.exe” with the specified parameters and receive the output of the command execution.
MATA_Plug_Process.dllManipulate process (listing process, killing process, creating process, creating process with logged-on user session ID).
MATA_Plug_TestConnect.dllCheck TCP connection with given IP:port or IP range and ping given host or IP range.
MATA_Plug_WebProxy.dllCreate a HTTP proxy server. The server listens for incoming TCP connections on the specified port, processing CONNECT requests from clients to the HTTP server and forwarding all traffic between client and server.
MATA_Plug_File.dllManipulate files (write received data to given file, send given file after LZNT1 compression, compress given folder to %TEMP%\~DESKTOP[8random hex].ZIP and send, wipe given file, search file, list file and folder, timestomping file).
MATA_Plug_P2PReverse.dllConnect between MataNet server on one side and an arbitrary TCP server on the other, then forward traffic between them. IPs and ports for both sides are specified on the call to this interface.
MATA_Plug_Load.dllInject DLL file into the given process using PID and process name, or inject XORed DLL file into given process, optionally call export function with arguments.
Plugins for Windows

The Linux version of the MATA framework operates in a similar fashion to its Windows counterpart, having been found on a legitimate distribution site, this lends credence to the theory that this is the way the malware had been distributed. It included a Windows MATA orchestrator, a Linux tool for listing folders, scripts for exploiting CVE-2019-3396, Atlassian Confluence Server, a legitimate socat tool and a Linux version of the MATA orchestrator bundled together with a set of plugins.

                The module is designed to run as a daemon, and upon launch, the module is capable of checking if it is already running by reading the PID from “/var/run/init.pid” and checks if the “/proc/%pid%/cmdline” file content is equal to “/flash/bin/mountd”. It’s important to note that “/flash/bin/mountd” is an unusual path for standard Linux desktop or server installation, which leads researchers to believe that the targets of the MATA Linux are diskless network devices such as routers, firewalls, or other Internet-of-Things devices based on x86_64.

                The behavior of this module is the same as the Windows MATA discussed previously, with the plugin names of Linux MATA and its corresponding Windows plugins described below:

/bin/bashMata_Plug_Cmd
plugin_fileMATA_Plug_File
plugin_processMATA_Plug_Process
plugin_testMATA_Plug_TestConnect
plugin_reverse_p2pMATA_Plug_P2PReverse
Plugins for Linux

                For the Mac version, an attack vector was discovered on VirusTotal on April 8th, 2020. The malicious Apple Disk Image file is a Trojanized  macOS application based on an open-source two-factor authentication application named MinaOTP. The Trojanized main TinkaOTP module is responsible for moving the malicious Mach-O file to the library folder and then executing it. Upon execution, this malicious Mach-O file loads the initial configuration file for the malware. Like the previously discussed strains for Windows and Linux, the macOS variant  also runs on a plugin basis. Its plugin list is almost identical to the previously discussed Linux plugins, except that it also contains a plugin named “plugin_socks”. The “plugin_socks” plugin is similar to “plugin_reverse_p2p” and is responsible for configuring proxy servers.

                The MATA framework is a significant threat to the cybersecurity community as it can target multiple platforms: Windows, Linux, and macOS. The threat actors most likely behind this new threat, Lazarus, is known for credential harvesting, data exfiltration, and ransomware attacks, amongst other. It is likely that this malware strain will continue to grow and evolve, and all analysts and sys admins should remain vigilant in deterring this threat.

                For a list of Indicators of Compromise (IOCs) as well as the sources used for this article, please see below.


Sources:


Indicators of Compromise:

  • File Hashes (malicious documents, Trojans, emails, decoys)
    • Windows Loader
      • f364b46d8aafff67271d350b8271505a
      • 85dcea03016df4880cebee9a70de0c02
      • 1060702fe4e670eda8c0433c5966feee
      • 7b068dfbea310962361abf4723332b3a
      • 8e665562b9e187585a3f32923cc1f889
      • 6cd06403f36ad20a3492060c9dc14d80
      • 71d8b4c4411f7ffa89919a3251e6e5cb
      • a7bda9b5c579254114fab05ec751918c
      • e58cfbc6e0602681ff1841afadad4cc6
      • 7e4e49d74b59cc9cc1471e33e50475d3
      • a93d1d5c2cb9c728fda3a5beaf0a0ffc
      • 455997E42E20C8256A494FA5556F7333
      • 7ead1fbba01a76467d63c4a216cf2902
      • 7d80175ea344b1c849ead7ca5a82ac94
      • bf2765175d6fce7069cdb164603bd7dc
      • b5d85cfaece7da5ed20d8eb2c9fa477c
      • 6145fa69a6e42a0bf6a8f7c12005636b
      • 2b8ff2a971555390b37f75cb07ae84bd
      • 1e175231206cd7f80de4f6d86399c079
      • 65632998063ff116417b04b65fdebdfb
      • ab2a98d3564c6bf656b8347681ecc2be
      • e3dee2d65512b99a362a1dbf6726ba9c
      • fea3a39f97c00a6c8a589ff48bcc5a8c
      • 2cd1f7f17153880fd80eba65b827d344
      • 582b9801698c0c1614dbbae73c409efb
      • a64b3278cc8f8b75e3c86b6a1faa6686
      • ca250f3c7a3098964a89d879333ac7c8
      • ed5458de272171feee479c355ab4a9f3
      • f0e87707fd0462162e1aecb6b4a53a89
      • f1ca9c730c8b5169fe095d385bac77e7
      • f50a0cd229b7bf57fcbd67ccfa8a5147
    • Windows MATA
      • bea49839390e4f1eb3cb38d0fcaf897e    rdata.dat
      • 8910bdaaa6d3d40e9f60523d3a34f914    sdata.dat
      • 6a066cf853fe51e3398ef773d016a4a8
      • 228998f29864603fd4966cadd0be77fc
      • da50a7a05abffb806f4a60c461521f41
      • ec05817e19039c2f6cc2c021e2ea0016
    • Registry path
      • HKLM\Software\Microsoft\KxtNet
      • HKLM\Software\Microsoft\HlqNet
      • HKLM\Software\mthjk
    • Linux MATA
      • 859e7e9a11b37d355955f85b9a305fec    mdata.dat
      • 80c0efb9e129f7f9b05a783df6959812    ldata.dat, mdata.dat
      • d2f94e178c254669fb9656d5513356d2   mdata.dat
    • Linux Log Collector
      • 982bf527b9fe16205fea606d1beed7fa    hdata.dat
    • Open-source Linux SoCat
      • e883bf5fd22eb6237eb84d80bbcf2ac9    sdata.dat
    • Script for exploiting Atlassian Confluence Server
      • a99b7ef095f44cf35453465c64f0c70c    check.vm, r.vm
      • 199b4c116ac14964e9646b2f27595156    r.vm
    • macOS MATA
      • 81f8f0526740b55fe484c42126cd8396    TinkaOTP.dmg
      • f05437d510287448325bac98a1378de1    SubMenu.nib
  • C2 address
    • 104.232.71.7:443
    • 107.172.197.175:443
    • 108.170.31.81:443
    • 111.90.146.105:443
    • 111.90.148.132:443
    • 172.81.132.41:443
    • 172.93.184.62:443
    • 172.93.201.219:443
    • 185.62.58.207:443
    • 192.210.239.122:443
    • 198.180.198.6:443
    • 209.90.234.34:443
    • 216.244.71.233:443
    • 23.227.199.53:443
    • 23.227.199.69:443
    • 23.254.119.12:443
    • 67.43.239.146:443
    • 68.168.123.86:443
Share this: