In early September 2022, we discovered several new malware samples belonging to the MATA cluster. As we were collecting and analyzing the relevant telemetry data, we realized the campaign had been launched in mid-August 2022 and targeted over a dozen corporations in Eastern Europe from the oil and gas sector and defense industry.
The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser. Each phishing document contains an external link to fetch a remote page containing a CVE-2021-26411 exploit. The attackers continued to send malicious documents via email until the end of September 2022. Overall, the campaign remained active over 6 months, until May 2023.
After analyzing the timeline and functionality of each malware, we have determined the infection chain of the campaign, although some parts remain unknown due to limited visibility. The attacker employed a combination of loader, main trojan, and stealer infection chains similar to those used by the previous MATA cluster and updated each malware’s capabilities. Moreover, they introduced a process to validate compromised victims to ensure careful malware delivery.
A turning point in the investigation was the discovery of two MATA samples that had internal IP addresses set as C&C server addresses. Attackers often create a chain of proxy servers within a corporate network to communicate between the malware and C&C, for example, if the infected system does not have direct access to the internet. Of course, we have seen this before, but in this case the malware configuration included IP addresses from a subnet we were unfamiliar with at the time, and it caught our attention. We immediately notified the affected organization of the likely compromise of systems with these IP addresses and received a swift response.
Starting to investigate this case we realized that the compromised systems were financial software servers and that these servers were having network access to several dozen subsidiaries of the targeted organization. At that point, we realized the compromise of one plant’s domain controller was just the tip of the iceberg. As we continued our investigation, we found that the attackers started the attack from the factory, using a phishing email, and progressed through the network until they discovered the shortcut of an RDP connection to the parent company’s terminal server. Then they acquired the user’s credentials and connected to the terminal server. After that, attackers repeated everything they had done at the attacked plant, but this time on the scale of the entire parent company. Using a vulnerability in a legitimate driver and a rootkit, they interfered with the antivirus, intercepted user credentials (many of which were cached on the terminal server, including accounts with administrator privileges on many systems), and began actively moving around the network.
Naturally, this led to the parent company’s domain controller being compromised and control being gained over even more workstations and servers. But the attackers did not stop there. Next, they were able to access the control panels of two security solutions simultaneously. First, they got control over a solution for checking the compliance of systems with information security requirements by exploiting one of its vulnerabilities. Second, with the help of this security solution, they managed to get access to the control panel of the endpoint protection solution that had not been securely configured.
In both cases, security solutions were used by attackers to gather information about the targeted organization’s infrastructure and to distribute malware, as both systems have the capability to deploy and execute files remotely. As a result, taking over centralized systems for managing security solutions allowed the attackers to spread the malware to multiple subsidiaries at once, as well as infect servers running Unix-like systems (that they couldn’t access even after gaining full control of the organization’s domain) with Linux-variant MATA.
For technical details of the new MATA malware, a description of the malicious infrastructure used by the actor, attribution and victimology read the full “Updated MATA attacks industrial companies in Eastern Europe” report.