Security
Headlines
HeadlinesLatestCVEs

Headline

Sophisticated MATA Framework Strikes Eastern European Oil and Gas Companies

An updated version of a sophisticated backdoor framework called MATA has been used in attacks aimed at over a dozen Eastern European companies in the oil and gas sector and defense industry as part of a cyber espionage operation that took place between August 2022 and May 2023. "The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows

The Hacker News
#vulnerability#mac#windows#microsoft#git#backdoor#The Hacker News

An updated version of a sophisticated backdoor framework called MATA has been used in attacks aimed at over a dozen Eastern European companies in the oil and gas sector and defense industry as part of a cyber espionage operation that took place between August 2022 and May 2023.

“The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser,” Kaspersky said in a new exhaustive report published this week.

“Each phishing document contains an external link to fetch a remote page containing a CVE-2021-26411 exploit.”

CVE-2021-26411 (CVSS score: 8.8) refers to a memory corruption vulnerability in Internet Explorer that could be triggered to execute arbitrary code by tricking a victim into visiting a specially crafted site. It was previously exploited by the Lazarus Group in early 2021 to target security researchers.

The cross-platform MATA framework was first documented by the Russian cybersecurity company in July 2020, linking it to the prolific North Korean state-sponsored crew in attacks targeting various sectors in Poland, Germany, Turkey, Korea, Japan, and India since April 2018.

The use of a revamped version of MATA to strike defense contractors was previously disclosed by Kaspersky in July 2023, although attribution to the Lazarus Group remains tenuous at best due to the presence of techniques used by Five Eyes APT actors such as Purple Lambert, Magenta Lambert, and Green Lambert.

That said, a majority of the malicious Microsoft Word documents created by the attackers feature a Korean font called Malgun Gothic, suggesting that the developer is either familiar with Korean or works in a Korean environment.

Russian cybersecurity company Positive Technologies, which shared details of the same framework late last month, is tracking the operators under the moniker Dark River.

“The group’s main tool, the MataDoor backdoor, has a modular architecture, with a complex, thoroughly designed system of network transports and flexible options for communication between the backdoor operator and an infected machine,” security researchers Denis Kuvshinov and Maxim Andreev said.

“The code analysis suggests that the developers invested considerable resources into the tool.”

The latest attack chains begin with the actor sending spear-phishing documents to targets, in some cases by impersonating legitimate employees, indicating prior reconnaissance and extensive preparation. These documents include a link to an HTML page that embeds an exploit for CVE-2021-26411.

A successful compromise leads to the execution of a loader that, in turn, retrieves a Validator module from a remote server to send system information and download and upload files to and from the command-and-control (C2) server.

The Validator is also designed to fetch MataDoor, which, according to Kasperksy, is MATA generation 4 that’s equipped to run a wide range of commands capable of gathering sensitive information from compromised systems.

The attacks are further characterized by the use of stealer malware to capture content from clipboard, record keystrokes, take screenshots, and siphon passwords and cookies from the Windows Credential Manager and Internet Explorer.

Another noteworthy tool is a USB propagation module that allows for sending commands to the infected system via removable media, likely enabling the threat actors to infiltrate air-gapped networks. Also employed is an exploit called CallbackHell to elevate privileges and bypass endpoint security products so as to achieve their goals without attracting attention.

Kaspersky said it also discovered a new MATA variant, dubbed MATA generation 5 or MATAv5, that’s “completely rewritten from scratch” and “exhibits an advanced and complex architecture making use of loadable and embedded modules and plugins.”

“The malware leverages inter-process communication (IPC) channels internally and employs a diverse range of commands, enabling it to establish proxy chains across various protocols - also within the victim’s environment,” the company added.

In total, the MATA framework and its cocktail of plugins incorporate support for over 100 commands pertaining to information gathering, event monitoring, process management, file management, network reconnaissance, and proxy functionality.

“The actor demonstrated high capabilities of navigating through and leveraging security solutions deployed in the victim’s environment,” Kaspersky said.

“Attackers used many techniques to hide their activity: rootkits and vulnerable drivers, disguising files as legitimate applications, using ports open for communication between applications, multi-level encryption of files and network activity of malware, [and] setting long wait times between connections to control servers.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Researchers Share New Insights Into RIG Exploit Kit Malware's Operations

The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal. "RIG EK is a financially-motivated program that has been active since 2014," Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News. "Although it has yet to substantially change its exploits in its more recent activity, the type and

Google Warns of Internet Explorer Zero-Day Vulnerability Exploited by ScarCruft Hackers

An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware. The discovery, reported by Google Threat Analysis Group researchers Benoît Sevens and Clément Lecigne, is the latest set of attacks perpetrated by ScarCruft, which is

North Korean APT37 Unleashes Dolphin Backdoor on South Korea

By Habiba Rashid The backdoor is equipped with a wide range of spying capabilities, including exfiltrating files, keylogging, and stealing browser data, etc. This is a post from HackRead.com Read the original post: North Korean APT37 Unleashes Dolphin Backdoor on South Korea

North Korea Hackers Using New "Dolphin" Backdoor to Spy on South Korean Targets

The North Korea-linked ScarCruft group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart. "The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing

RIG Exploit Kit Now Infects Victims' PCs With Dridex Instead of Raccoon Stealer

The operators behind the Rig Exploit Kit have swapped the Raccoon Stealer malware for the Dridex financial trojan as part of an ongoing campaign that commenced in January 2022. The switch in modus operandi, spotted by Romanian company Bitdefender, comes in the wake of Raccoon Stealer temporarily closing the project after one of its team members responsible for critical operations passed away in

Internet Explorer Now Retired but Still an Attacker Target

Though the once-popular browser is officially now history as far as Microsoft support goes, adversaries won't stop attacking it, security experts say.