The North Korea-linked Lazarus APT group is active again and this time it is targeting the IT supply chain. The threat actor is using a multi-platform malware framework, known as the MATA framework along with a new variant of DeathNote malware.
What has happened?
Kaspersky has reported that Lazarus APT is establishing supply chain attack capabilities with an updated DeathNote malware cluster.
The malware, which is an updated variant of the BlindingCan RAT, has been used to target several IT companies.
In one of the incidents, the group targeted a South Korean security software to build an infection chain aimed at a think tank.
In another attack, an asset monitoring solutions developer based in Latvia was targeted.
Additionally, hackers use a Racket downloader (signed with a stolen certificate) in the infection chain.
The group compromised exposed web servers and deployed scripts to control the malicious implants.
It is for the first time that Lazarus has conducted an IT supply chain attack. Lazarus has used an updated MATA framework for this campaign, implying its exclusive interest in this framework.
The current version appears to be an enhanced version of the MATA framework, which is using stolen but legitimate digital certificates to sign a few of its components.
A few months ago, Lazarus used MATA to target sensitive data in the defense industry.
Previously, MATA infrastructure has also been used for dropping ransomware payloads.
In fact, the downloader malware fetching MATA manifests a connection to TangoDaiwbo that was previously associated with the Lazarus group.
Lazarus APT has joined the list of the threat groups employing supply chain attacks. The use of sophisticated tools such as MATA indicates that this threat actor may be attempting to take the threats of supply chain attacks to the next level. Therefore, organizations should stay alert and focus on defense efforts against such threats.