Lazarus Group, also known as Hidden Cobra, is a North Korea-linked cyber-espionage group that's notorious for the WannaCry ransomware, which had the ability to spread across large networks automatically by exploiting a known bug in Microsoft’s Windows operating system.
Now, the notorious hacking group has unleashed a new multi-platform malware framework (MATA) with the goal of infiltrating corporate entities around the world, to steal confidential customer data and distribute ransomware.
While the MATA malware framework is capable of targeting Windows, Linux, and macOS operating systems, and armed with a wide range of sophisticated features designed to unleash malicious activities on infected machines.
The group had specialized in malware targeted at Windows and macOS systems, but just recently it created a new Remote Access Trojan (RAT) dubbed Dacls that affects both Windows and Linux systems.
Overview of the MATA multi-platform malware framework
MATA malware framework, which is so-called because of reference to the infrastructure as "MataNet" by the malware authors, began as early as 2018, with the victims traced to unnamed companies within software development and internet service provider sectors located in Germany, Poland, Turkey, South Korea, Japan, and India, according to cybersecurity firm Kaspersky.
MATA consists of different versions, with the Windows version made up of a loader used to load an encrypted next-stage payload, an orchestrator module ("lsass.exe") that is capable of loading 15 additional plugins at a time and executing all in memory.
The plugins boasts of such capabilities as allowing the malware to create an HTTP proxy server, manipulate files and system processes, and inject DLLs.
It also allow the hackers to target Linux-based diskless network devices such as IoT devices, routers, and firewalls or macOS systems by masquerading as TinkaOTP, a 2FA app which is based on MinaOTP, an open-source two-factor authentication application.
How MATA malware framework was linked to the Lazarus group
MATA malware framework was linked to the Lazarus Group based on the unique file name format ("c_2910.cls" and "k_3872.cls") found in the orchestrator, which has been previously observed in several variants of malware unleashed by the group.
It is recommended that users should patch their system in timely manner and also check if they've been infected based on the unique file formats ("c_2910.cls" and "k_3872.cls"), which details are used by the Lazarus group.