Last week, researchers reported on the latest notorious Lazarus APT tool, which has been used in the group’s attacks since spring 2018. Their new ‘toy’ was named MATA, it is a modular cross-platform framework with several components including a loader, orchestrator, and multiple plugins that can be used to infect Windows, Linux, and macOS systems. Lazarus group used MATA for ransomware deployment and data theft in attacks targeting corporate entities from Poland, Germany, Turkey, Korea, Japan, and India.
MATA framework is capable of loading plugins into the attacked system’s memory to run commands, manipulate files and processes, inject DLLs, create HTTP proxies and tunnels on Windows devices. Adversaries can also use the MATA plugins to scan for new targets on macOS and Linux-based machines, and researchers discovered a module that can be used to configure proxy servers on macOS platform.
Osman Demir published a community rule that helps security solutions to uncover this threat: https://tdm.socprime.com/tdm/info/4JJxStzvi2TO/dvrEj3MBPeJ4_8xcMrLp/?p=1
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio
EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint
Tactics: Execution, Defense Evasion
Techniques: Modify Registry (T1112), Windows Management Instrumentation (T1047)
It is worth noting that at the end of last year, Qihoo 360 Netlab researchers also published information about some modifications of this framework, which they called Dacls. The content for their detection was also developed by the participants of the Threat Bounty Program:
Dacls RAT (Lazarus’s Linux Malware) by Ariel Millahuel – https://tdm.socprime.com/tdm/info/5HeXUIKc6cVQ/YSA2VHEBjwDfaYjKFOtA/
APT38 – Lazarus Dacls RAT Win/Linux detection rule by Emanuele De Lucia – https://tdm.socprime.com/tdm/info/w26Km1iVJtES/WgepHm8B1pWV9U6sGLzy/