Kaspersky’s Global Research and Analysis Team (GReAT) and Industrial Control Systems Cyber Emergency Response Team (ICS CERT) have unveiled significant developments in the cyber espionage activities targeting Eastern European industrial companies with the use of updated MATA toolset. The investigation, spanning months, exposed sophisticated attack techniques, updated malware capabilities, and a novel infection chain.
In early September 2022, new malware samples linked to the MATA cluster, previously associated with the Lazarus group, were identified. This campaign, targeting over a dozen Eastern European corporations, persisted from mid-August 2022 to May 2023. The attackers employed spear-phishing emails utilizing a CVE-2021-26411 exploit, and Windows executable malware downloads through web browsers.
The MATA infection chain was intricate, integrating loader, main trojan, and stealers, with exploits, rootkits and precise victim validation processes. A key discovery involved internal IP addresses used as Command and Control (C&C) servers, indicating attackers deployed their own control and exfiltration system inside the victims’ infrastructure. Kaspersky promptly alerted affected organizations, leading to swift responses.
The attack initiated from a factory with a phishing email, infiltrated the network and compromised a parent company’s domain controller. They utilized vulnerabilities and rootkits to interfere with security systems, gaining control over workstations and servers. Notably, they accessed security solution panels, exploiting vulnerabilities and weak configurations to gather information and distribute malware to subsidiaries and systems not connected to corporate domain infrastructure.
“Protecting the industrial sector from targeted attacks requires a vigilant approach that combines robust cybersecurity practices with a proactive mindset. At Kaspersky, our experts literally follow APT developments keeping track of their evolution and predicting their moves to be able to detect their new tactics and tools. Our ongoing dedication to cybersecurity research is driven by a commitment to provide organizations with critical insights into the ever-evolving landscape of cyber threats. By staying informed and implementing the latest security measures, businesses can bolster their defense against sophisticated adversaries and safeguard their networks and systems,” comments Vyacheslav Kopeytsev, a senior security researcher at Kaspersky’s ICS CERT.
Other noteworthy findings include:
- Three new Generations of MATA Malware – 3, 4 an 5: These featured advanced remote control capabilities, modular architecture, and support for various protocols, along with flexible proxy server chains.
- Linux MATA Generation 3: The Linux version shared capabilities with its Windows counterpart and was delivered through security solutions.
- USB Propagation Module: Facilitating infiltration of air-gapped networks, this module transferred data via removable media, particularly in systems holding sensitive information.
- Stealers: These were employed to capture sensitive information, such as screenshots and stored credentials, customized to specific circumstances.
- EDR/Security Bypass Tools: Attackers leveraged public exploits to escalate privileges and bypass endpoint security products. Additionally, the BYOD (Bring Your Own Vulnerable Driver) technique was used on systems with the CVE-2021-40449 vulnerability patch installed.
- The latest MATA versions utilize techniques similar to ones used by 5-eyes APT groups, thus rising some questions in the process of attribution that are hard to give a definite answer.