Kaspersky’s security researchers have identified a multi-platform malware framework that they believe North Korea-linked hackers have been leveraging in attacks over the past couple of years.
Called MATA, the platform appears to have been in use since spring 2018 to target computers running Windows, Linux, and macOS. The framework, which consists of components such as a loader, an orchestrator, and plugins, is believed to be linked to the prolific North Korean hacking group Lazarus.
Active since 2009 or earlier and also referred to as Hidden Cobra, Lazarus has been associated with various high-profile attacks, including the WannaCry outbreak in 2017. More recently, the group was observed targeting cryptocurrency exchanges.
Lazarus is known for both cyber-espionage and financially-motivated attacks, and was previously observed targeting banks in campaigns such as ATMDtrack and AppleJeus. Activity involving the MATA platform shows that the threat actor continues this type of attacks.
Based on discovered artifacts, Kaspersky assesses that MATA has been used in assaults on corporate entities worldwide since April 2018, aimed at stealing information such as customer databases, but also leveraged to distribute ransomware.
Victims of the framework are located in Germany, India, Japan, Korea, Poland, and Turkey. The attacks showed that the threat actor hasn’t been focused on a single industry, but targeted multiple sectors, including software development, e-commerce, and an internet service provider.
Analysis of the MATA orchestrator revealed unique filenames previously seen in several variants of the Manuscrypt malware family, and shares a configuration structure similar to that of Manuscrypt, which Kaspersky considered to be evidence of ties with Lazarus.
“Writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on. This approach is typically found among mature APT groups. We expect the MATA framework to be developed even further and advise organizations to pay more attention to the security of their data, as it remains one of the key and most valuable resources that could be affected,” Seongsu Park, senior security researcher at Kaspersky, commented.
Related: North Korean Hackers Release Mac Variant of Dacls RAT
Related: Magecart Attacks on Claire’s and Other U.S. Stores Linked to North Korea
Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

More from Ionut Arghire
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- Vulnerability Provided Access to Toyota Supplier Management Network
- Linux Variant of Cl0p Ransomware Emerges
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
Latest News
- Germany Appoints Central Bank IT Chief to Head Cybersecurity
- OpenSSL Ships Patch for High-Severity Flaws
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Vulnerability Provided Access to Toyota Supplier Management Network
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- Linux Variant of Cl0p Ransomware Emerges
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
