HQ/EMEAFind out how we can help your business
Hackers are currently using an updated version of the MATA backdoor framework to target several Eastern European energy and defence companies.
A dozen European companies have already sustained a cyberattack from this operation. The MATA backdoor is a notorious Lazarus North Korean state-sponsored threat group associate.
Based on reports, this campaign has not explicitly connected to the Lazarus group, but most of the Word documents included a Korean font called Malgun Gothic. This detail suggests that the malware developers behind this campaign either had knowledge of the Korean language or operated in Korean cyberspace.
The new MATA backdoor has leveraged phishing emails.
From August 2022 to May 2023, this MATA backdoor campaign heavily relied on phishing emails to trick targeted organisations into downloading malware that exploited a vulnerability in Internet Explorer. This vulnerability (CVE-2021-26411) has a severity score of 7.5 out of 10 and became one of the primary tools used by the Lazarus group in their campaign against security researchers.
In their phishing emails, the attackers posed as legitimate employees of the target organisations, indicating that they had run thorough research before starting their attacks. The emails included malicious documents unrelated to the targeted businesses, with the attackers sourcing text from third-party websites on the internet.
The attackers used tools and tactics resembling previous MATA attacks but with upgraded malware capabilities. They introduced three new generations of MATA malware, some built upon earlier versions while others entirely rewritten. These malware developers adjusted each version’s encryption, configuration, and communication protocols.
A notable addition to this campaign was a specific malware module that aided the transfer of data gathered by the malware on infected systems through USB drives. Researchers believe this method breached systems isolated from the internet since they often store sensitive data.
Unlike previous MATA campaigns, where hackers delivered stealer malware directly to their targets, this operation featured various stealers inspired by different situations. Sometimes, hackers deployed malware capable of capturing screenshots from the victim’s device, while in other instances, they adopted stealers that could extract stored credentials and cookies.
These attackers employ multiple techniques to obfuscate their activities, including disguising files as legitimate applications, implementing multi-level file encryption, and establishing extended intervals between connections to control servers.
Therefore, organisations, especially in Europe, should be vigilant about these campaigns and upgrade their security protocols to avoid compromise and infections.
