Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Fraud Risk Management

Lazarus Group Tied to TFlower Ransomware

Sygnia Researchers Say Hackers Use Its MATA Framework to Deliver Malware
Lazarus Group Tied to TFlower Ransomware
Attack using the Lazarus Group's MATA malware framework, from initial execution to persistence mechanism (Source: Sygnia)

The Lazarus Group, a North Korean hacking operation also known as Hidden Cobra, is deploying TFlower ransomware, using its MATA malware framework, security firm Sygnia reports.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

The group has been using the MATA framework to deliver payloads since 2019, according to previous reports from security firms Kaspersky and NetLabs (see: Lazarus Group Deploying Fresh Malware Framework).

The deployment of TFlower using the MATA framework "raises the possibility that the Lazarus Group is either the group behind TFlower or has some level of collaboration in operations or capabilities with it," the report says. "Alternatively, the group may be masquerading as TFlower for some of its ransomware operations."

The campaign using TFlower ransomware has targeted a dozen victims for data exfiltration or extortion, says Arie Zilberstein, vice president, incident response at Sygnia.

MATA Framework

Sygnia’s report found that the MATA framework consists of an initial loader, which loads the first malware using a .EXE file, and a next-stage loader for decrypting and executing the payload component stored in the .DAT file. The TFlower payload delivered via MATA establishes a command-and-control channel to the threat actors’ servers.

Once deployed, the MATA backdoor provides the hacking group with remote code execution capability on infected machines and performs additional tasks, such as screen capture and network traffic tunneling, the report adds.

"The MATA malware framework … is considered a highly advanced cross-platform malware framework, allowing [the hackers] to move laterally and target multiple platforms (Windows, Linux, Mac) during the attack," Zilberstein says. "The threat actor activities as seen in the victim’s network indicate a stealthy and operational security (OPSEC) aware actor that is actively attempting to evade detection. Lastly, the fact that the threat actor operated and maintained such an extensive C2 infrastructure indicates an advanced, persistent and sophisticated actor with the capacity and the means to maintain it."

Long History of Attacks

The Lazarus Group has been tied to several high-profile attacks. It was behind the WannaCry worm, the theft of $81 million from a Bangladesh bank and the attack on Sony Pictures. Now, it's apparently expanding into ransomware.

In February, a report by Kaspersky found that the Lazarus Group has been conducting a campaign against defense industry targets in more than a dozen countries using a backdoor called ThreatNeedle, which moves laterally through networks and can overcome network segmentation (see: Lazarus Hits Defense Firms with ThreatNeedle Malware).

The U.S. government has issued frequent warnings about North Korea-sponsored hackers and has published data on nearly 30 malware variants associated with hacking groups suspected of working with the regime (see: Group Behind WannaCry Now Using New Malware).


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.