Kaspersky Lab, a computer security firm said today that the notorious hacking group from North Korea, known as Lazarus, has resurfaced. The group is allegedly operating a multipurpose malware framework to target Windows, macOS, and Linux devices.
A new MATA malware detected
Kaspersky alerted users that a multipurpose malware framework of MATA could target their machines soon. Lazarus is believed to be behind major online attacks, which include the 2014 Sony Pictures Hack and an $80 million heist from the Bangladesh cyber bank. This time it has launched a VHD Ransomware. The malicious program has been designed to extort money from users and has a self-replication method as well.
The campaign was first revealed by Kaspersky which noted that the malware was used in two attacks during this spring. It suggests that the latest attacks are different from other phishing operations of the group, as they use a novel code to infect machines. The campaign was first detected in Europe after it affected some businesses. However, there were not many hints on who was running it. Between March and May, 2020 researchers discovered a second VHD ransomware which helped them understand the malware and trace it back to Lazarus.
Attackers are connected to crypto
“Among other things –and most importantly – the attackers used a backdoor, which was a part of a multiplatform framework called MATA, which Kaspersky recently reported on in-depth and is linked to the aforementioned threat actor due to a number of code and utility similarities.”
The malware is self-spreading as it uses a spreading utility which follows similar patterns as APT campaigns. The spreading utility is compiled with credentials of every victim which then encrypts a user’s data. It then displays a message on the system demanding, Bitcoin in return for the decryption. This is done via HowToDecrypt.txt text file on the desktop of the victim.
Kaspersky suspects that VHD ransomware is linked with Lazarus. Though it doesn’t claim that the group is behind the attacks, it suggests in high confidence that the pattern is closely linked with Lazarus tools used against the businesses in Asia and France.