In early September 2022 Kaspersky experts discovered several detections of malware from the MATA cluster, previously attributed to the Lazarus group, compromising defense contractor companies in Eastern Europe. This campaign remained active until May 2023. Expanding our research scope, we investigated and discovered additional, new, active actor campaigns with fullinfection chains, including an implant designed to work within air-gapped networks over USB sticks, as well as a Linux MATA backdoor.
The updated MATA malware was distributed via spear-phishing techniques to target victims, deploying malware over multiple stages using validators. The actor also abused various security and anti-malware solutions the victims used, in the process of propagating within their environment. The new MATA generation 3 and generation 4 introduced several modifications to its encryption, configuration and communication protocols and one of them appears to have been rewritten from scratch. The new MATA generations incorporate new functionalities in terms of circumventing network limitations, allowing the actor to build complex proxy chains within the victims’ network as well as creating a ‘stack’ of various communication protocols to be used for C2 (Command and Control) communications.
During this research we also discovered a new MATA variant we dubbed MATA generation 5. This sophisticated malware, which has been completely rewritten from scratch, exhibits an advanced and complex architecture making use of loadable and embedded modules and plugins. MATA gen.5 is capable of functioning as both a service and a DLL within different processes. The malware leverages Inter-Process Communication (IPC) channels internally and employs a diverse range of commands, enabling it to establish proxy chains across various protocols – also within the victim’s environment.
Views: 1
