MATA framework campaign invoked by The Lazarus Group

August 5, 2020
lazarus group north korea orchestrator malware antimalware trojan hacking hackers

Browsing through the web and searching for a state-sponsored group, you will find results for this so-called The Lazarus Group. They are formerly known as APT38, God’s Apostles, God’s Disciples, Guardian of Peace, ZINC, and Team Cobra at the same time these off-shoots units called Bluenoroff and Andariel. A two pages article from the US Department of Treasury discusses how infamous this Cyber Security Group. They are sophisticated as they can focus their target on almost all types of Operating System. They are linked to past attacks from Europe to Asia.


The Lazarus Group Timeline

  • Operation Troy (2009) attack vector used Mydoom and Dozer malware attack against the United States and South Korea websites.
  • The Cyber attack (2013) dub as Ten Days of Rain is a distributed denial-of-service (DDoS) against targeted in South Korea.
  • Sony Breach attack (2014) called Guardian of Peace (GOP) used Server Message Block (SMB) Worm to exfiltrate data.
  • WannaCry Attack (2017) ransomware attack that spans globally targeted computers running EternalBlue exploits discovered by National Security Agency (NSA).
  • Cryptocurrency attack (2017) Hancom’s Hangul word processing software exploited vulnerability used by Lazarus via spear-phishing lures.
  • ElectricFish cyber theft attack (2019) tunneling tool used to create a session to efficiently transfer traffic between the target and the attacker; Trojan called BadCall is used in conjunction to infect the target system and turned it into as a host – proxy server.


MATA framework campaign was initially detected in April 2018 and reused by Lazarus Group to inflict another attack. As it was first observed in the wild due to its comprehensive framework that is used vastly to infiltrate corporate entities around the world.


Distribution Phase

The attack uses both loader and Orchestrator malware to load and stage the payload executed via remote host to a compromised host in the same network. In contrast, Orchestrator malware infuses in the Isass.exe process on the victims’ system, then loaded encrypted configuration data from a registry key and decrypt it with the AES algorithm. On Linux, a Socat tool and MATA campaign (Orchestrator malware) for Linux is bundled together used as a plugin. For macOS, an Apple Disk image file is weaponized and named as MinaOpt which was used to generate 2FA tokens.

About the author

Leave a Reply