Lazarus Group Tied to TFlower RansomwareSygnia Researchers Say Hackers Use Its MATA Framework to Deliver Malware
The Lazarus Group, a North Korean hacking operation also known as Hidden Cobra, is deploying TFlower ransomware, using its MATA malware framework, security firm Sygnia reports.
The group has been using the MATA framework to deliver payloads since 2019, according to previous reports from security firms Kaspersky and NetLabs (see: Lazarus Group Deploying Fresh Malware Framework).
The deployment of TFlower using the MATA framework "raises the possibility that the Lazarus Group is either the group behind TFlower or has some level of collaboration in operations or capabilities with it," the report says. "Alternatively, the group may be masquerading as TFlower for some of its ransomware operations."
The campaign using TFlower ransomware has targeted a dozen victims for data exfiltration or extortion, says Arie Zilberstein, vice president, incident response at Sygnia.
Sygnia’s report found that the MATA framework consists of an initial loader, which loads the first malware using a .EXE file, and a next-stage loader for decrypting and executing the payload component stored in the .DAT file. The TFlower payload delivered via MATA establishes a command-and-control channel to the threat actors’ servers.
Once deployed, the MATA backdoor provides the hacking group with remote code execution capability on infected machines and performs additional tasks, such as screen capture and network traffic tunneling, the report adds.
"The MATA malware framework … is considered a highly advanced cross-platform malware framework, allowing [the hackers] to move laterally and target multiple platforms (Windows, Linux, Mac) during the attack," Zilberstein says. "The threat actor activities as seen in the victim’s network indicate a stealthy and operational security (OPSEC) aware actor that is actively attempting to evade detection. Lastly, the fact that the threat actor operated and maintained such an extensive C2 infrastructure indicates an advanced, persistent and sophisticated actor with the capacity and the means to maintain it."
Long History of Attacks
The Lazarus Group has been tied to several high-profile attacks. It was behind the WannaCry worm, the theft of $81 million from a Bangladesh bank and the attack on Sony Pictures. Now, it's apparently expanding into ransomware.
In February, a report by Kaspersky found that the Lazarus Group has been conducting a campaign against defense industry targets in more than a dozen countries using a backdoor called ThreatNeedle, which moves laterally through networks and can overcome network segmentation (see: Lazarus Hits Defense Firms with ThreatNeedle Malware).
The U.S. government has issued frequent warnings about North Korea-sponsored hackers and has published data on nearly 30 malware variants associated with hacking groups suspected of working with the regime (see: Group Behind WannaCry Now Using New Malware).