Kaspersky’s security researchers have identified a multi-platform malware framework that they believe North Korea-linked hackers have been leveraging in attacks over the past couple of years.
Called MATA, the platform appears to have been in use since spring 2018 to target computers running Windows, Linux, and macOS. The framework, which consists of components such as a loader, an orchestrator, and plugins, is believed to be linked to the prolific North Korean hacking group Lazarus.
Active since 2009 or earlier and also referred to as Hidden Cobra, Lazarus has been associated with various high-profile attacks, including the WannaCry outbreak in 2017. More recently, the group was observed targeting cryptocurrency exchanges.
Lazarus is known for both cyber-espionage and financially-motivated attacks, and was previously observed targeting banks in campaigns such as ATMDtrack and AppleJeus. Activity involving the MATA platform shows that the threat actor continues this type of attacks.
Based on discovered artifacts, Kaspersky assesses that MATA has been used in assaults on corporate entities worldwide since April 2018, aimed at stealing information such as customer databases, but also leveraged to distribute ransomware.
Victims of the framework are located in Germany, India, Japan, Korea, Poland, and Turkey. The attacks showed that the threat actor hasn’t been focused on a single industry, but targeted multiple sectors, including software development, e-commerce, and an internet service provider.
Analysis of the MATA orchestrator revealed unique filenames previously seen in several variants of the Manuscrypt malware family, and shares a configuration structure similar to that of Manuscrypt, which Kaspersky considered to be evidence of ties with Lazarus.
“Writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on. This approach is typically found among mature APT groups. We expect the MATA framework to be developed even further and advise organizations to pay more attention to the security of their data, as it remains one of the key and most valuable resources that could be affected,” Seongsu Park, senior security researcher at Kaspersky, commented.
Related: North Korean Hackers Release Mac Variant of Dacls RAT
Related: Magecart Attacks on Claire’s and Other U.S. Stores Linked to North Korea
Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

More from Ionut Arghire
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
- US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
- New ‘Trigona’ Ransomware Targets US, Europe, Australia
Latest News
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Ferrari Says Ransomware Attack Exposed Customer Data
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
