Critical Infrastructure Security
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Kaspersky Observed New Generations of the Malware With Advanced Capabilities
Hackers used an updated malware framework to target more than a dozen oil, gas and defense sector companies in Eastern Europe, including air-gapped systems.
See Also: Navigating the Regulatory Landscape: Rising GRC Trends and Data Breach Risks
Security firm Kaspersky dubbed the multisystem platform Mata after discovering it in 2020. The firm said in a Wednesday report that a threat group had deployed three new generations of the framework, including one variant rewritten from scratch. That completely new version exhibited “advanced and complex architecture making use of loadable and embedded modules and plug-ins” in a campaign that targeted more than a dozen corporations from August 2022 through May.
Kaspersky previously associated Mata with North Korean hackers Lazarus Group but doesn’t attribute this campaign to the secretive and authoritarian Pyongyang regime. Researchers did see connections to the Korean Peninsula, including malicious spear-phishing Microsoft Word documents featuring a Korean font called Malgun Gothic, suggesting the developers are proficient in Korean or operate in a Korean-speaking environment.
One reason the security firm says it is hesitant to attribute the attacks to Lazarus is the sophistication of the hacking techniques, which it said are “similar to ones used by Five Eyes APT groups,” a reference to the intelligence alliance consisting of the United States, Canada, the United Kingdom, Australia and New Zealand.
“This must be a rich-enough actor to allow itself to burn out three giant expensive frameworks in one attack,” Kaspersky wrote.
Kaspersky first detected suspicious activity in September 2022 during an examination of two Mata samples, which communicated with command-and-control servers that hackers had managed to locate inside of the compromised organization’s networks.
Analysis revealed the compromised systems had been financial software servers linked to subsidiaries of the targeted organization. The hackers had expanded their control, progressing from a single domain controller within a production plant to encompass the entire corporate network.
Many of the initial infections began with spear-phishing emails impersonating actual employees of targeted corporations – indicating extensive pre-attack reconnaissance. The documents contained a link exploiting an old Internet Explorer zero-day bug, tracked as CVE-2021-26411 (see: Microsoft Patch Tuesday: A Call to Action). Lazarus has used the memory corruption vulnerability to attack security researchers.
Other victims clicked on a malicious link received through email or a messaging platform that fetched a payload masquerading as a “system update.”
Threat actors also used a module designed to infect air-gapped systems through USB thumb drives. It’s unlikely the hackers were able to make direct contact with air-gapped systems, leading them to code modules that contained encrypted lists of commands sent to an infected system and the results of those commands.,/p>
Hackers used different stealers tailored for different environments. The stealers’ capabilities ranged from capturing screenshots to extracting stored credentials and cookies from the victim’s devices.
Kaspersky also said the hackers had bypassed the endpoint detection and response tools of the victim organization using a publicly available exploit of CVE-2021-40449, dubbed CallbackHell. The attackers used this vulnerability to alter kernel memory and target specific callback routines and make the endpoint security tools ineffective.
To mask their activities, the attackers used techniques such as disguising files as legitimate applications, implementing multilevel file encryption, and setting extended intervals between connections to control servers.