December 2, 2023

Hackers have focused greater than a dozen oil, gasoline and protection companies in Japanese Europe with an up to date model of the MATA backdoor framework, in accordance with current analysis.

The MATA backdoor was beforehand attributed to the North Korean hacker group Lazarus.

Researchers on the cybersecurity agency Kaspersky, who uncovered this marketing campaign, didn’t immediately hyperlink the newest assaults to Lazarus. Nonetheless, they famous that almost all of malicious Phrase paperwork created by the hackers had a Korean font known as Malgun Gothic, suggesting that the developer is both aware of Korean or works in a Korean atmosphere.

Within the newest marketing campaign, which ran from August 2022 to Might 2023, attackers used phishing emails to trick their targets into downloading malware that exploited a vulnerability in Web Explorer.

Tracked as CVE-2021-26411, this vulnerability holds a severity rating of seven.5 out of 10 on the CVSS scale. It was beforehand utilized by the Lazarus group of their marketing campaign towards safety researchers.

Of their phishing emails, the attackers pretended to be actual workers of the goal organizations, implying they’d carried out thorough analysis earlier than launching their assaults.

The emails included malicious paperwork that weren’t associated to the focused companies. The attackers obtained the textual content used within the paperwork from third-party web sites on the web. Lazarus had beforehand used this tactic in assaults on protection business services in 2020, Kaspersky stated.

The attackers used a mixture of instruments and ways just like these employed within the earlier MATA assaults however with improved malware capabilities.

For instance, researchers have recognized three new generations of the MATA malware — some constructed on earlier variations and others rewritten from scratch. All of them had a number of modifications to their encryption, configuration, and communication protocols.

One other fascinating instrument utilized by hackers on this marketing campaign is a particular malware module that strikes knowledge gathered by the malware on the contaminated system by infecting USB drives. Researchers consider attackers used it to breach methods remoted from the web, which frequently retailer extremely delicate knowledge.

Not like earlier MATA campaigns, the place hackers despatched a stealer malware on to their targets, on this operation they employed totally different stealers relying on the scenario. Generally, they used malware that would solely take screenshots from the person’s gadget, whereas in different circumstances they deployed stealers designed to extract saved credentials and cookies from the sufferer.

Attackers used many methods to cover their exercise, disguising information as authentic purposes, utilizing multilevel encryption of information, and setting lengthy wait instances between connections to regulate servers.

“This and way more reveals how subtle fashionable focused assaults may be,” the researchers stated.

Get extra insights with the

Recorded Future

Intelligence Cloud.

Be taught extra.

No earlier article

No new articles

Daryna Antoniuk

Daryna Antoniuk
is a contract reporter for Recorded Future Information primarily based in Ukraine. She writes about cybersecurity startups, cyberattacks in Japanese Europe and the state of the cyberwar between Ukraine and Russia. She beforehand was a tech reporter for Forbes Ukraine. Her work has additionally been printed at Sifted, The Kyiv Unbiased and The Kyiv Publish.