Eastern European energy and defense firms targeted with MATA backdoor

Hackers have targeted more than a dozen oil, gas and defense firms in Eastern Europe with an updated version of the MATA backdoor framework, according to recent research.

The MATA backdoor was previously attributed to the North Korean hacker group Lazarus.

Researchers at the cybersecurity firm Kaspersky, who uncovered the campaign, did not directly link the latest attacks to Lazarus. However, they noted that the majority of malicious Microsoft Word documents created by the hackers had a Korean font called Malgun Gothic, suggesting that the developer is either familiar with Korean or works in a Korean environment.

In the latest campaign, which ran from August 2022 to May 2023, attackers used phishing emails to trick their targets into downloading malware that exploited a vulnerability in Internet Explorer.

Tracked as CVE-2021-26411, this vulnerability holds a severity score of 7.5 out of 10 on the CVSS scale. It was previously used by the Lazarus group in their campaign against security researchers.

In their phishing emails, the attackers pretended to be real employees of the target organizations, implying they had done thorough research before launching their attacks.

The emails included malicious documents that were not related to the targeted businesses. The attackers got the text used in the documents from third-party websites on the internet. Lazarus had previously used this tactic in attacks on defense industry facilities in 2020, Kaspersky said.

The attackers used a combination of tools and tactics similar to those employed in the previous MATA attacks but with improved malware capabilities.

For example, researchers have identified three new generations of the MATA malware — some built on previous versions and others rewritten from scratch. All of them had several modifications to their encryption, configuration, and communication protocols.

Another interesting tool used by hackers in this campaign is a special malware module that moves data gathered by the malware on the infected system by infecting USB drives. Researchers believe attackers used it to breach systems isolated from the internet, which often store highly sensitive data.

Unlike previous MATA campaigns, where hackers sent a stealer malware directly to their targets, in this operation they employed different stealers depending on the situation. Sometimes, they used malware that could only take screenshots from the user's device, while in other cases they deployed stealers designed to extract stored credentials and cookies from the victim.

Attackers used many techniques to hide their activity, disguising files as legitimate applications, using multilevel encryption of files, and setting long wait times between connections to control servers.

“This and much more shows how sophisticated modern targeted attacks can be,” the researchers said.