Lazarus uses advanced toolset for espionage, ransomware
Researchers from Kaspersky have uncovered a series of attacks which employ an advanced malware framework, called MATA, to target Windows, Linux and macOS operating systems.
In use since spring 2018, the framework is linked to Lazarus, a notorious and prolific North Korean APT group known for its sophisticated operations, cyber espionage and financially-motivated attacks.
Malicious toolsets that can target multiple platforms are highly unusual, as they require a significant investment from the developer, says Kaspersky. They are often deployed for long-term use, which results in increased profit for the malefactor through numerous attacks spread out over a lengthy period of time.
“In the cases discovered by Kaspersky, the MATA framework was able to target three platforms, Windows, Linux and macOS, which means the bad actors intended to use it for multiple purposes,” the company said.
The framework consists of several components, including a loader, an orchestrator (which manages and co-ordinates the processes once a device is infected) as well as plugins.
The researchers added that the first artefacts discovered that related to MATA were used in or around April 2018. Since then, the actor behind this framework has taken an aggressive approach in their attempts to infiltrate corporate entities across the globe, and it has been used in a number of attacks aimed at stealing customer databases and distributing ransomware.
Telemetry data from Kaspersky indicates that the actor was not focusing on a specific territory as the victims infected by the MATA framework were located in Poland, Germany, Turkey, Korea, Japan and India.
In addition, the APT group compromised systems in a variety of industries, including a software development company, an e-commerce company and an Internet service provider.
Seongsu Park, a senior security researcher at Kaspersky, says this latest series of attacks indicates that Lazarus was willing to invest significant resources into developing this toolset and widening the reach in terms of organisations that could be targeted.
“Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on,” he adds.
Park adds that this type of approach is typically found among mature APT groups. “We expect the MATA framework to be developed even further and advise organisations to pay more attention to the security of their data.”
In order to avoid falling victim to multi-platform malware, Kaspersky researchers recommend installing a dedicated cyber security product on all Windows, Linux and MacOS endpoints, as well as providing the SOC team with access to the latest threat intelligence to help them stay up to date with any new and emerging tools, techniques and tactics used by threat actors.
And, of course, it helps to have fresh back-up copies of business data that are quickly accessible.