Kaspersky cybersecurity teams (GReAT and CERT) have unveiled significant developments in the cyber espionage activities targeting Eastern European industrial companies with the use of the updated MATA toolset. The investigation – spanning months – exposed sophisticated attack techniques, updated malware capabilities, and a novel infection chain.

In early September 2022, new malware samples linked to the MATA cluster, previously associated with the Lazarus group, were identified. This campaign, targeting over a dozen Eastern European corporations persisted from mid-August 2022 to May 2023. The attackers employed spear-phishing emails utilising a CVE-2021-26411 exploit and Windows executable malware downloads through Web browsers.

The MATA infection chain was intricate, integrating loader, main trojan, and stealers, with exploits, rootkits and precise victim validation processes. A key discovery involved internal IP addresses used as Command and Control (C&C) servers indicating attackers deployed their own control and exfiltration system inside the victims’ infrastructure. Kaspersky promptly alerted affected organisations leading to swift responses.

The attack initiated from a factory with a phishing email which infiltrated the network and compromised a parent company’s domain controller. They utilised vulnerabilities and rootkits to interfere with security systems, gaining control over workstations and servers. Notably, they accessed security solution panels, exploiting vulnerabilities and weak configurations to gather information and distribute malware to subsidiaries and systems not connected to corporate domain infrastructure.

“Protecting the industrial sector from targeted attacks requires a vigilant approach that combines robust cybersecurity practices with a proactive mindset,” says Vyacheslav Kopeytsev, a senior security researcher at Kaspersky’s ICS CERT. “At Kaspersky, our experts literally follow APT developments keeping track of their evolution and predicting their moves to be able to detect their new tactics and tools. Our ongoing dedication to cybersecurity research is driven by a commitment to provide organisations with critical insights into the ever-evolving landscape of cyberthreats.

“By staying informed and implementing the latest security measures, businesses can bolster their defence against sophisticated adversaries and safeguard their networks and systems,” Kopeytsev adds.

Other noteworthy findings by the teams include:
• Three new Generations of MATA Malware – 3, 4 and 5: These featured advanced remote control capabilities, modular architecture, and support for various protocols, along with flexible proxy server chains.

• Linux MATA Generation 3: The Linux version shared capabilities with its Windows counterpart and was delivered through security solutions.

• USB Propagation Module: Facilitating infiltration of air-gapped networks, this module transferred data via removable media – particularly in systems holding sensitive information.

• Stealers: These were employed to capture sensitive information, such as screenshots and stored credentials customised to specific circumstances.

• EDR/Security Bypass Tools: Attackers leveraged public exploits to escalate privileges and bypass endpoint security products. Additionally, the BYOD (Bring Your Own Vulnerable Driver) technique was used on systems with the CVE-2021-40449 vulnerability patch installed.

• The latest MATA versions utilise techniques similar to ones used by 5-eyes APT groups, thus raising some questions in the process of attribution that are hard to give a definite answer.