![]() ![]() ![]() Once deployed, the MATA backdoor provides the hacking group with remote code execution capability on infected machines and performs additional tasks, such as screen capture and network traffic tunneling, the report adds. ![]() The TFlower payload delivered via MATA establishes a command-and-control channel to the threat actors’ servers. EXE file, and a next-stage loader for decrypting and executing the payload component stored in the. Sygnia’s report found that the MATA framework consists of an initial loader, which loads the first malware using a. The campaign using TFlower ransomware has targeted a dozen victims for data exfiltration or extortion, says Arie Zilberstein, vice president, incident response at Sygnia. "Alternatively, the group may be masquerading as TFlower for some of its ransomware operations." The deployment of TFlower using the MATA framework "raises the possibility that the Lazarus Group is either the group behind TFlower or has some level of collaboration in operations or capabilities with it," the report says. The group has been using the MATA framework to deliver payloads since 2019, according to previous reports from security firms Kaspersky and NetLabs (see: Lazarus Group Deploying Fresh Malware Framework). See Also: Live Webinar | The Secret Sauce to Secrets Management The Lazarus Group, a North Korean hacking operation also known as Hidden Cobra, is deploying TFlower ransomware, using its MATA malware framework, security firm Sygnia reports. Attack using the Lazarus Group's MATA malware framework, from initial execution to persistence mechanism (Source: Sygnia) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |