Kaspersky is alerting SOC teams to a new malware framework it has discovered and linked to the notorious North Korean hacking group known as Lazarus.
Dubbed “MATA,” the framework has apparently been in use since around April 2018, mainly to aid in attacks designed to steal customer databases and distribute ransomware.
Since that time it appears to have been deployed in a wide variety of scenarios, targeting e-commerce firms, software developers and ISPs across Poland, Germany, Turkey, Korea, Japan and India.
The framework itself gives its controllers the flexibility to target Windows, Linux and macOS, and consists of several components including loader, orchestrator and plugins.
Kaspersky tied its use to the Lazarus group, which has been engaged for years in cyber-espionage and sabotage and, via its Bluenoroff subgroup, attempts to accrue illicit funds for its Pyongyang masters. The group was pegged for WannaCry, as well as sophisticated attacks on financial institutions including the infamous $81m raid of Bangladesh Bank.
Kaspersky senior researcher, Seongsu Park, argued that the latest attacks linked to Lazarus show it is willing to invest serious resources to develop new malware toolsets in the hunt for money and data.
“Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on. This approach is typically found among mature APT groups” he added.
“We expect the MATA framework to be developed even further and advise organizations to pay more attention to the security of their data, as it remains one of the key and most valuable resources that could be affected.”
The security vendor urged SOC teams to access the latest threat intelligence feeds, install dedicated security on all Windows, macOS and Linus endpoints, and to back-up regularly.