A sophisticated backdoor framework named Mata has reared its head once more, targeting Eastern European companies in the oil and gas sector and defense industry. This cyber espionage operation unfolded stealthily between August 2022 and May 2023, leaving a trail of digital breadcrumbs for cybersecurity experts to decipher.

Spear-Phishing Tactics and CVE-2021-26411 Exploit Unleashed

The assailants orchestrated their attack using spear-phishing emails, infecting unsuspecting victims with Windows executable malware via file downloads. Kaspersky’s comprehensive report revealed that each phishing document contained an external link, leading to a remote page housing a CVE-2021-26411 exploit—a memory corruption vulnerability in Internet Explorer.

Kaspersky identified the exploit, attributing it a CVSS score of 8.8, which allowed the execution of arbitrary code by manipulating victims into visiting a crafted site.

The Mata Framework, initially documented by a Russian cybersecurity company in July 2020, was linked to North Korean state-sponsored activities targeting various sectors across Europe and Asia. This time around, defense contractors bore the brunt of a revamped MATA version, raising eyebrows in cybersecurity circles.

Kaspersky disclosed the attack in July 2023, cautiously linking it to the Lazarus Group. However, the attribution remains uncertain due to techniques reminiscent of Five Eyes APT actors.

Unveiling the Operators

Positive Technologies, dubbing the operators as Dark River, sheds light on the group’s primary tool—the MataDoor backdoor. Security researchers Denis Kuvshinov and Maxim Andreev highlight its modular architecture and sophisticated network transports, emphasizing the substantial resources invested in its development.

The researchers noted the extensive preparation behind the spear-phishing attacks, showcasing a level of reconnaissance indicative of a well-prepared adversary.

MATA Generation 5

Kaspersky’s revelation of MATA Generation 5, completely rewritten and exhibiting advanced architecture, adds another layer to the saga. This variant utilizes inter-process communication channels, creating proxy chains across various protocols within the victim’s environment.

Kaspersky emphasized the malware’s ability to navigate security solutions in the victim’s environment, showcasing the attacker’s high level of sophistication.

MATA Framework’s Arsenal

The MATA framework, along with its myriad plugins, boasts support for over 100 commands, covering information gathering, event monitoring, process and file management, network reconnaissance, and proxy functionality.

Stealth Techniques to Conceal Activity

To further cloak their activities, the threat actors employed a variety of techniques, including rootkits, file disguises, and multi-level encryption. Kaspersky notes the strategic use of ports and extended wait times between connections, showcasing a meticulous effort to evade detection.