The North Korean hacking group Lazarus (also known as Hidden Kobra) has launched several high-profile attacks over the past few years to fulfill its financial motives. Recently, the group has been observed expanding its arsenal with TFlower ransomware in a double extortion campaign.
Diving into details
Sygnia researchers have reported the use of the MATA framework by the Lazarus Group to deliver TFlower ransomware in the campaign.
With a new and so far undocumented variant of MATA and TFlower, the recent Lazarus campaign has targeted a dozen victims for data exfiltration or extortion.
The MATA malware framework is the key technical component here, which works as an advanced cross-platform malware framework.
Additionally, during the attack, the group has leveraged multiple tools including the MATA backdoor to evade detection.
Lazarus has operated and maintained an extensive C2 infrastructure while targeting multiple platforms, such as Windows, Linux, and mac, during the attack.
The MATA framework was previously reported by Kaspersky on July 22, 2020, and by Netlab on December 19, 2019. Further, it is suspected that Lazarus possibly deployed over 150 C2 servers over time, with the latest one identified on February 4 this year.
The recent report indicating a connection or collaboration between the Lazarus Group and TFlower reflects the continued effort by North Korea to scale its cyber-extortion activities. Researchers anticipate that the group is now possibly collaborating with additional crime entities, creating such entities, outsourcing its capabilities, or selling offensive tools to other groups to achieve its financial targets.