Lazarus Group’s Mata Framework Leveraged To Deploy TFlower Ransomware

Over the past few years, North Korea has turned its offensive cyber operations into a major source of income. On February 17, 2021, the US Department of Justice (DoJ) has indicted additional three North Korean (DPRK) military Reconnaissance General Bureau (RGB) personnel, with participating in a cyber-attacks that has allegedly  included destructive cyber-attacks and the theft and extortion of over USD1.3bn.

The charges filed relate to Lazarus Group’s (also known as Hidden Cobra) long-running cyber apparatus, financial theft and extortion, including multiple extortion schemes, WannaCry malware and the cyber-attack on Sony Pictures. A key technical component associated with Lazarus is the MATA malware framework, an advanced cross-platform malware framework, which was reported by Kaspersky on July 22, 2020, and by Netlab on December 19, 2019.

In a recent double extortion ransomware attack investigated by Sygnia, the threat actor leveraged a new and so far undocumented variant of MATA. This MATA variant was used by the threat actor to distribute and execute the TFlower ransomware.

When put together, the Netlab and Kaspersky publications along with the recent Sygnia findings, the new research indicates a connection or collaboration between the Lazarus Group and TFlower. While the nature of this collaboration is not yet clear and needs to be further validated, it may reflect the continues effort by North Korea to scale its cyber extortion business, as a major source  for currency generation, including by collaborating with additional crime entities, creating such entities, “outsourcing” of capabilities, or selling of offensive tools to other groups.

This report details the connection between the North Korean MATA framework and TFlower, as well as the anatomy of the MATA backdoor and a wider threat research which revealed over 200 MATA malware framework C2 certificates leveraged since May of 2019 across over 150 IP addresses. The report also includes recommendation on detection and defending against MATA framework attacks.

‍

THE KEY FINDINGS IN THIS REPORT ARE:

1. TFlower leverages or has ties to the MATA malware framework

The MATA backdoor was leveraged to deploy the TFlower ransomware. The threat group consistently referred to themselves as the “TFlower group”.

2. The MATA malware framework is active and widespread

Since at least May of 2019, MATA operators have continuously utilized new servers, with over 150 IPs linked to the frameworks’ C2. The analysis indicates that the group has possibly deployed over 150 command and control servers over time, with the latest one identified on February 4, 2021.

3. The threat actor is highly capable and implements systematic detection evasion techniques

Throughout the attack, the threat actor leveraged multiple tools including the MATA backdoor to systematically clear forensic evidence and attempt to evade detection by identifying and tampering with security products.

‍

ANATOMY OF THE MATA BACKDOOR AND INFRASTRUCTURE

The Backdoor

The MATA backdoor consists of three file components: .EXE, .DLL and .DAT files, deployed in the “C:\Windows\System32” directory. All file names and hashes are unique per infected host indicating automatically generated polymorphic malware. The components are as follows:

1. Initial loader (EXE) — The malware is initially loaded by a .EXE file, which upon execution injects the .DLL loader component into an ‘svchost.exe’ process and modifies the LSA Security Package registry key to achieve persistence.

2. Loader (DLL) — The loader decrypts and executes the payload component stored in the .DAT file. It is loaded by ‘lsass.exe’ upon reboot to achieve persistence.

3. Payload (DAT) — The payload is an encrypted binary .DAT file which implements the backdoor functionality.

Once deployed, the backdoor provides the threat actor with remote code execution capability on infected machines via C2 servers. Additional functionality includes screen capture and network traffic tunneling.

‍

EXECUTION FLOW

The backdoor is deployed by executing the initial loader with the .DLL and .DAT file paths as arguments, injecting the .DLL file into ‘svchost.exe’ and loading the .DAT payload. The initial loader’s file name consists of 5 alphabetic characters, randomly generated on each of the machines (‘[A-Za-z]{5}\.exe’).

Upon execution, the initial loader modifies the following registry value in order to achieve persistency: “HKLM\SYSTEM\ CurrentControlSet\Control\Lsa\Security Packages”. The value modified is part of a Windows API called ‘Security Support Provider’ (SSP), which is used to extend the Windows authentication mechanism. After adding a .DLL stored in System32 to the ‘Security Packages’ value, ‘lsass.exe’ will automatically load the .DLL component on system startup or the next time the AddSecurityPackage Windows API function is called.

The file name of the .DLL consists of six alphabetic characters, the middle two being “nm” matching the following pattern: ‘[A-Za-z]{2}nm[A-Za-z]{2}\.dll’. Similar to the .EXE component, the name is unique on each of the infected machines. The .DLL itself implements limited functionality, and its main purpose is decrypting, loading and executing the final payload stored in the .DAT file.

The final payload stored in the .DAT file is a fully functional backdoor, establishing a command and control channel to the threat actors’ servers. Similarly to the other components, its name was unique on each of the infected machines and followed a specific pattern: ‘srms-[A-Za-z]{3}[0-9]{4,5}\.dat’.

COMMAND AND CONTROL INFRASTRUCTURE

Each of the samples identified by the Sygnia Incident Response team attempted to communicate to three command and control servers over SSL using port 443. The C2 servers were found in an encrypted binary configuration blob hardcoded into the .DAT payload. Each of the servers hosted a unique certificate, self-signed by the threat actor. Although the certificates on each of the servers were unique, they all shared similar technical features:

1. Randomly generated, long Common Name.
2. The usage of three capital letters followed by 'Co .Ltd' in the Organization (O) and Organization Unit (OU) fields of both issuer and subject.
3. Certificate serial number – 1000.
4. The “Validity: Not Before” timestamps of certificates tied to the same sample, are in close time proximity to one another. The “Validity: Not Before” timestamps represent the start of the certificate validity period.

The certificate “Validity: Not Before” timestamp is especially interesting, because the samples were first deployed in the network just several hours after the “Validity: Not Before” timestamp of their corresponding certificates. This could indicate that C2 servers are dynamically deployed for a specific operation, and the certificates are issued accordingly.

To further validate the ties between the MATA framework and the suspicious certificates, we attempted to tie other confirmed command and control servers to similar certificates. Out of 20 IPs found across 8 samples found in online repositories, 18 were confirmed to have historically hosted certificates with similar patterns.

Using the unique certificate patterns, Sygnia identified over 200 certificates and over 130 IP addresses affiliated with the MATA framework, starting as early as 2019.

Further analysis identified that as of June, 2020 the threat actor slightly modified the self-signed certificates pattern. Specifically, the following was changed:

1. Organization (O) and Organization Unit (OU) fields of both issuer and subject were changed to five random uppercase alphabetical characters instead of three.
2. Legitimate Common Name values such as ‘google.com’, ‘qq.com’ and ‘reddit.com’ were used instead of the random strings previously used.

At the time of publication, the latest certificates found were issued on February 4, 2021. The large number of certificates and C2 servers deployed over such a prolonged period of time suggests a well-resourced group with robust operational capabilities, likely attacking multiple targets simultaneously.

RELATION TO THE MATA MALWARE FRAMEWORK AND ATTRIBUTION

The backdoor and its infrastructure share significant attributes with the MATA malware framework:

• Over 95% of the functions in the .DLL loader component identified by Sygnia match functions in the MATA malware framework loader identified by Kaspersky, indicating they are closely related.
• The .DAT payload component identified by Sygnia writes its encrypted configuration to a registry key with a naming pattern of “HKLM\Software\Microsoft\[A-Za-z]{3}Net”. The orchestrator instances identified by Kaspersky save their configuration in a registry key with the same naming convention. The unencrypted configuration contains similar data to that mentioned in the Kaspersky report.
• The same SSL certificate pattern described above was also identified in SSL certificates served by 21 out of 31 MATA framework C2 IP addresses found within MATA framework malware samples reported by Netlab and Kaspersky.
• Certificates for IPs embedded in samples identified by Netlab and Kaspersky were issued within a short timeframe. This indicates the C2 servers for each of the samples were deployed together. The same behavior was observed in the samples identified by Sygnia.

Several other vendors, including Kaspersky and Netlab, linked the MATA framework to the Lazarus group, a threat actor affiliated with the North Korean government.

The MATA certificates “Validity: Not Before” timestamps are potentially indicative of the threat actor's work week, Monday to Saturday, as no certificates were issued on Sunday. Furthermore, no certificates were issued between 16:00 to 22:00 UTC, correlating with nighttime in UTC +9 or UTC +8 time zones. The vast majority of certificates were issued during working hours in the abovementioned time zones, suggesting the threat actor is most likely operating from East-Asia.

TFLOWER TIES TO THE MATA MALWARE FRAMEWORK

The TFlower ransomware campaign was covered by several technology news websites between September and November of 2019. However, since then very little information has been made public about the ransomware group or its operations.

In a recent TFlower ransomware case investigated by Sygnia, the threat actors had already removed all instances of the ransomware executable and it could not be recovered for reverse engineering. Nevertheless, forensic analysis performed identified several technical indications linking the encryption with the TFlower group with high certainty.

Analysis of the encrypted machines identified that the ransomware executable was deployed and executed using the MATA backdoor. Specifically, the path to the ransomware executable was found within the MATA backdoor memory space on encrypted machines. This raises the possibility that the Lazarus Group, which is largely affiliated with the North Korean government, is either the group behind TFlower or has some level of collaboration with it.

Alternatively, and although there are significant similarities to the TFlower ransomware, it is still possible that the threat actor was only masquerading as the TFlower group.

DEFENDING AGAINST MATA FRAMEWORK ATTACKS

The research into MATA framework operations was done primarily in the service of preventing future attacks. Our understanding of the threat actors behind these malicious operations reveals a large dynamic operation which can prove difficult to contain or easily detect.

The following are specific tactical recommendations which compliment more general security measures that can protect against these types of an attacks:

• Configure Process Protected Light (PPL) protection to prevent non-digitally signed LSA plugins to be loaded into the lsass.exe process.
• Proactively hunt for MATA malware framework IOCs and TTPs within the network, based on the MITRE ATT&CK breakdown and IOC provided below, with emphasis on the following:
• SSL traffic containing a self-signed certificate with the attributes described in the report.
• Outbound network communications towards the internet originating from the lsass.exe process
• Monitor for disabling of security products and log source tampering.

INDICATORS OF COMPROMISE

REGISTRY VALUES (REGULAR EXPRESSIONS)

- Registry Key: “HKLM\\Software\\Microsoft\\[A-Za-z]{3}Net”

• Registry Value Name: (default)
• Registry Value Type: “REG_BINARY”
• Registry Value Data: encrypted binary data

- Registry Key: “HKLM\\System\\CurrentControlSet\\control\\LSA”

• Registry Value Name: “Security Packages”
• Registry Value Type: “REG_MULTI_SZ”
• Registry Value Data: “[A-Za-z]{2}nm[A-Za-z]{2}”

FILE NAMES (REGULAR EXPRESSIONS)

- .EXE file component – “C:\\Windows\\System32\\[A-Za-z]{5}\.exe”

• Highly susceptible to false positives

- .DLL file component – “C:\\Windows\\System32\\[A-Za-z]{2}nm[A-Za-z]{2}\.dll”

- .DAT file component – “C:\\Windows\\System32\\srms\-[A-Za-z]{3}\d+\.dat”

FILES REFERENCED IN THE REPORT (MD5)

• cef99063e85af8b065de0ffa9d26cb03
• 6de65fc57a4428ad7e262e980a7f6cc7
• 8910bdaaa6d3d40e9f60523d3a34f914
• bea49839390e4f1eb3cb38d0fcaf897e
• 80c0efb9e129f7f9b05a783df6959812
• 403ad5ef66f3932e548e29e1b6a2cb4f
• f05437d510287448325bac98a1378de1
• 22a968beda8a033eb31ae175b7e0a937

C2 SERVER CERTIFICATES

MITRE ATT&CK BREAKDOWN

1. Persistence

• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1547.005 - Boot or Logon Autostart Execution: Security Support Provider

2. Defense Evasion

• T1036.005 - Masquerading: Match Legitimate Name or Location
• T1055.001 - Process Injection: Dynamic-link Library Injection  
• T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
• T1070.003 - Indicator Removal on Host: Clear Command History
• T1070.004 - Indicator Removal on Host: File Deletion
• T1112 - Modify Registry
• T1562 - Impair Defenses

3. Credential Access

• T1552.001 - Unsecured Credentials: Credentials in Files

4. Lateral Movement

• T1021.001 - Remote Services: Remote Desktop Protocol
• T1021.002 - Remote Services: SMB/Windows Admin Shares
• T1021.004 - Remote Services: SSH

5. Collection

• T1113 - Screen Capture

6. Command and Control

• T1008 - Fallback Channels
• T1572 - Protocol Tunneling
• T1573.001 - Encrypted Channel: Symmetric Cryptography

7. Impact

• T1486 - Data Encrypted for Impact

‍

Contributors: Amitai Ben Shushan, Noam Lifshitz, Amnon Kushnir, Martin Korman and Boaz Wasserman.