MATA Malware Framework Exploits EDR in Campaigns Against Targeted Companies

A revised edition of the MATA backdoor framework has been identified in a series of attacks that took place from August 2022 to May 2023, targeting companies in the oil and gas sector and the defense industry in Eastern Europe.

These attacks leveraged spear-phishing emails to deceive their targets into downloading malicious executable files that exploit the CVE-2021-26411 vulnerability in Internet Explorer, thereby initiating the infection process.

The updated MATA framework encompasses a loader, a primary trojan, and an information-stealing component, which enable it to establish a backdoor and maintain a persistent presence within the compromised networks.

Remarkably, the malware propagates across various segments of the corporate network by bypassing security compliance solutions and exploiting their weaknesses.

The cybersecurity firm uncovered this malicious activity in September 2022, during an investigation involving two MATA samples that were communicating with command and control servers (C2) located within breached organization networks.

Upon further scrutiny, it was revealed that the compromised systems were financial software servers linked to numerous subsidiaries of the targeted organization.

The investigation disclosed that the attackers had expanded their control from a single domain controller in a production plant to encompass the entire corporate network.

The breach proceeded with the hackers gaining access to 2 security solution administration panels—one for endpoint protection and the other for compliance assessments.

Exploiting this access, the hackers conducted surveillance on the organization’s infrastructure and disseminated malware to its subsidiaries.

In cases where the targets were Linux servers, the attackers utilized a Linux variant of MATA in the form of an ELF file, which appears to offer similar functionality to the third generation of the Windows implant.

Kaspersky reported encountering three new versions of the MATA malware: one (v3) evolving from the second generation seen in previous attacks, a second (v4) referred to as ‘MataDoor,’ and a third (v5) created from scratch.

The latest iteration of MATA is presented in DLL form and boasts extensive remote control capabilities, supporting multi-protocol connections (TCP, SSL, PSSL, PDTLS) to command servers, along with proxy server chains (SOCKS4, SOCKS5, HTTP+web, HTTP+NTLM).

MATA’s fifth generation offers 23 distinct commands, encompassing activities to establish connectivity, manage the implant, and retrieve information.

While there are still apparent connections to Lazarus activity, the newer MATA variants and techniques, such as TTLV serialization, multilayered protocols, and handshake mechanisms, more closely resemble the methods of ‘Five Eyes’ APT groups like Purple, Magenta, and Green Lambert.

Additionally, the deployment of multiple malware frameworks and various MATA versions within a single attack is highly unusual, suggesting the involvement of a particularly well-resourced threat actor.