ISCR2020_Lazarus.pdf (1 MB)

Seongsu Park’s Kaspersky presentation analyzes Lazarus Group’s MATA framework as a multi-platform malware set spanning Windows, Linux, and macOS tooling. The deck describes AES-encrypted loaders and plugins, registry-based configuration, OpenSSL/RC4 C2, Linux tooling that included Confluence exploitation via CVE-2019-3396 and scanning of network-device ports, and a trojanized macOS 2FA application. It links the MATA research to VHD ransomware, noting worm-like propagation using network shares, remote copy, WMIC execution, and AES/RSA-based encryption. The core CTI point is that Lazarus activity blurred the line between financially motivated cybercrime and targeted APT operations, with advanced implants and cross-platform tradecraft used in cybercrime-like campaigns.