Sygnia researchers report evidence that the North Korean Lazarus Group uses the MATA framework to deliver TFlower ransomware in the campaign.
The new research by Sygnia indicates a collaboration between the Lazarus Group and TFlower. While the researchers didn’t manage to reveal the nature of this collaboration, which needs to be further validated, it may be an indication that North Korea keeps scaling up its cyber-extortion efforts.
Over the past few years, the North Korean hacker group Lazarus (also known as Hidden Kobra) has launched several high-profile attacks.
In the most recent Lazarus’ campaign, the group targeted a dozen victims for data exfiltration or extortion.
According to researchers, the group has been observed expanding its arsenal with TFlower ransomware in which it used a new, undocumented variant of MATA and TFlower.
Among other findings, Sygnia reports the threat actor implements sophisticated and systematic detection evasion techniques during the attacks that target multiple platforms, such as Windows, Linux, and Mac. Lazarus used various tools including the MATA backdoor to evade detection, researchers say.
Sygnia shows evidence that the MATA malware framework is active and widespread with hackers having possibly deployed over 150 command and control (C2) servers.
In view of the evidence of collaboration between Lazarus and TFlower, Sygnia researchers say the North Korean hacker group may be now collaborating with other cybercriminal entities, involved in creating such entities, outsourcing capabilities, or sales of hacking tools to other criminal groups.
Sygnia’s report gives proof of the connection between the North Korean MATA framework and TFlower. It also details the anatomy of the MATA backdoor and presents wider threat research into over 200 MATA malware framework C2 instances deployed since May 2019 across more than 150 IP addresses.
The researchers also provide recommendations on the detection and eradication of MATA malware.