Researchers from the Kaspersky laboratories have discovered a large-scale malicious campaign aimed at stealing confidential data from organizations in the defense industry and oil and gas sector of Eastern European countries. The attackers utilized advanced techniques and spying tools, including a module for penetrating isolated networks using USB drives and Linux Mata Bekdor.
The attack began in August 2022 with the distribution of targeted phishing emails containing malicious Word documents. Subsequently, the attackers infiltrated the corporate networks, stole user authentication data, and gained access to the terminal server of the main company. They were able to replicate this success in the head organization and reached the domain controller. By compromising the information systems that connected the parent enterprise with its subsidiaries, such as the financial system server and the protective solution control panel, the attackers gained access to several dozen subsidiary networks.
The attackers utilized three new generations of malicious MATA, including modified second-generation MATA, as well as new versions called Matadoor and fifth-generation MATA. Notably, the attackers also targeted systems operating on UNIX-like operating systems. By exploiting the protective solution control panel and combining it with the Mata malware version for Linux, the attackers gained access to nearly all systems in the targeted enterprises, including those not part of the domain.
In cases where direct communication with the target system was not possible, the attackers used a module designed to interact with USB devices. This module facilitated data exchange with isolated networks that may contain information of interest to the attackers.
The attacks also demonstrated a high level of sophistication and the ability to bypass protective measures in the targeted environments. The attackers employed various techniques to conceal their activities, such as leveraging routes, exploiting vulnerable drivers, disguising files as legitimate programs, and employing multi-level encryption for files and network activities.
Although most of the malicious Word documents contained the Korean font Malgun Gothic, suggesting a potential connection with the Apt Lazarus group, researchers also identified technical techniques that could indicate involvement from other groups, including the Five Eyes Alliance. However, the true initiator of the attack has yet to be determined.