Kaspersky data reveals updated MATA attacks targeting industrial companies in Eastern Europe

New data released by researchers from Kaspersky’s Global Research and Analysis Team (GReAT) and Industrial Control Systems Cyber Emergency Response Team (ICS CERT) have unveiled significant developments in cyber espionage activities targeting Eastern European industrial companies. These efforts involve the deployment of an updated MATA toolset. 

The research disclosed that in early September 2022, new malware samples linked to the MATA cluster were uncovered. Subsequent analysis of the gathered telemetry data revealed that the campaign had been initiated in mid-August 2022, with a focus on infiltrating more than a dozen corporations based in Eastern Europe. The primary targets included entities within the oil and gas sector, as well as those operating within the defense industry.

“After analyzing the timeline and functionality of each malware, we have determined the infection chain of the campaign, although some parts remain unknown due to limited visibility,” Kaspersky researchers wrote in a Wednesday blog post. “The attacker employed a combination of loader, main trojan, and stealer infection chains similar to those used by the previous MATA cluster and updated each malware’s capabilities. Moreover, they introduced a process to validate compromised victims to ensure careful malware delivery.”

They added that the hackers behind the attack used spear-phishing emails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser. “Each phishing document contains an external link to fetch a remote page containing a CVE-2021-26411 exploit. The attackers continued to send malicious documents via email until the end of September 2022. Overall, the campaign remained active over 6 months, until May 2023.”

The MATA infection chain was intricate, integrating loader, main trojan, and stealers, with exploits, rootkits, and precise victim validation processes. A key discovery involved internal IP addresses used as Command and Control (C&C) servers, indicating attackers deployed their own control and exfiltration system inside the victims’ infrastructure. Kaspersky promptly alerted affected organizations, leading to swift responses.

The attack initiated from a factory with a phishing email, infiltrated the network and compromised a parent company’s domain controller. They utilized vulnerabilities and rootkits to interfere with security systems, gaining control over workstations and servers. Notably, they accessed security solution panels, exploiting vulnerabilities and weak configurations to gather information and distribute malware to subsidiaries and systems not connected to corporate domain infrastructure.

“Protecting the industrial sector from targeted attacks requires a vigilant approach that combines robust cybersecurity practices with a proactive mindset,” Vyacheslav Kopeytsev, a senior security researcher at Kaspersky’s ICS CERT, said in a media statement. “At Kaspersky, our experts literally follow APT developments keeping track of their evolution and predicting their moves to be able to detect their new tactics and tools. Our ongoing dedication to cybersecurity research is driven by a commitment to provide organizations with critical insights into the ever-evolving landscape of cyber threats.” 

Kopeytsev added that by staying informed and implementing the latest security measures, businesses can bolster their defense against sophisticated adversaries and safeguard their networks and systems. 

The researchers identified three new generations of the MATA malware; Linux MATA generation 3; a USB (universal serial bus) propagation module capable of bridging the air-gapped networks; stealers; and EDR/Security bypass tools. 

“The first of the new generations is an evolution of previous MATA generation 2. Second, we dubbed ‘MataDoor,’ has been rewritten from scratch and may be considered as generation 4,” Kaspersky identified. “The last one we named MATA gen.5 and it has been rewritten from the scratch as well. Like previous generations, it has extensive remote control capabilities over the infected system, has a modular architecture, and provides attackers with the ability to connect to control servers using various protocols, as well as supporting flexible proxy server chains.”

Researchers observed that the actor spread the MATA Linux version through security solutions to several Linux servers. “We’ve seen identical ELF malware on several paths including anti-malware solution control server and Linux hosts. Therefore, we strongly believe that this malware was delivered by security solutions remote installation functionality. The Linux version has very similar capability to the 3rd generation MATA Windows version, and seems to have been built from the same sources.”

The USB propagation module is a special malware module designed to send commands to the infected system via removable media. “The same module is also responsible for transporting data collected by the malware on the infected system, which is also done via USB. In our opinion, this component is used by attackers to infiltrate systems that are air-gapped from subnets that have access to the internet, since such systems usually store the most sensitive information,” the research identified. 

The research added that in previous MATA activity targeting the defense industry, a stealer malware was delivered to the victim. “Likewise in this attack, the actor delivered the malware responsible for stealing sensitive information through the complicated infection procedure. The actor employed a variety of stealers based on the circumstances. In some instances, they used malware that was only capable of capturing screenshots from the user’s device. In other cases, there were stealers aimed to exfiltrate stored credentials and cookies from the victim.”

In some cases, “we observed the actor took advantage of a public exploit called CallbackHell to escalate privilege and bypass endpoint security products. The exploit, which we discovered and reported in 2021, triggers CVE-2021-40449 vulnerability, a use-after-free vulnerability, in Win32k’s NtGdiResetDC API,” according to the Kaspersky researchers. “This added layer of complexity allowed them to operate undetected and achieve their objectives more effectively. Similarly, they used the BYOD (Bring Your Own Vulnerable Driver) technique when attacking systems that had the CVE-2021-40449 vulnerability patch installed.”

Earlier this month, data released by the Kaspersky ICS CERT team revealed that ransomware and other criminally driven assaults have emerged as a pervasive threat to industrial organizations globally within the initial six months of this year. The situation is increasingly concerning. In its H1 2022 report, research disclosed that there were seven hacktivist attacks and 10 criminal ransomware incidents. In H2 2022, this surged to 40 cybercrime cases and one hacktivist attack. The current report reveals a staggering 67 cybercrime cases.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.