Shares tag: MATA • Shares 3 IOCs • Same author: Kaspersky • Published within a week
MATA: Multi-platform targeted malware framework
2020-07-22 • Kaspersky •
https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/
Kaspersky describes MATA as a multi-platform malware framework used since at least April 2018 to infiltrate corporate environments across Windows, Linux, and macOS systems. The Windows toolchain includes a loader that decrypts a next-stage payload, an orchestrator that can read AES-encrypted configuration from the registry, and plugins loaded from disk, HTTP/HTTPS servers, or MataNet connections. The excerpt shows operators using WMI-linked execution for lateral movement and finding the orchestrator inside lsass.exe on victim machines. MATA’s plugins support command and PowerShell execution, process control, TCP checks, HTTP proxying, file collection and wiping, timestomping, DLL injection, and encrypted TLS/RC4 command-and-control traffic.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 67.43.239.146 | 2020-05-05 | 2023-01-18 |
| IPv4 | 185.62.58.207 | 2020-05-05 | 2023-01-18 |
| HASH | da50a7a05abffb806f4a60c461521f41 | 2020-07-22 | 2021-12-21 |
| HASH | 859e7e9a11b37d355955f85b9a305fec | 2020-07-22 | 2021-12-21 |
| HASH | 7b068dfbea310962361abf4723332b3a | 2020-07-22 | 2021-12-21 |
| HASH | ec05817e19039c2f6cc2c021e2ea0016 | 2020-07-22 | 2021-12-21 |
| HASH | f05437d510287448325bac98a1378de1 | 2020-07-22 | 2021-03-23 |
| IPv4 | 104.232.71.7 | 2020-07-22 | 2021-03-23 |
| IPv4 | 172.93.184.62 | 2020-07-22 | 2021-03-23 |
| IPv4 | 23.227.199.69 | 2020-07-22 | 2021-03-23 |
| HASH | bea49839390e4f1eb3cb38d0fcaf897e | 2019-12-17 | 2021-03-23 |
| HASH | 80c0efb9e129f7f9b05a783df6959812 | 2019-12-17 | 2021-03-23 |
| HASH | 8910bdaaa6d3d40e9f60523d3a34f914 | 2019-12-17 | 2021-03-23 |
| IPv4 | 198.180.198.6 | 2019-12-17 | 2021-03-23 |
| IPv4 | 23.254.119.12 | 2019-12-17 | 2021-03-23 |
| IPv4 | 23.227.199.53 | 2019-12-17 | 2021-03-23 |
| IPv4 | 209.90.234.34 | 2019-12-17 | 2021-03-23 |
| HASH | 7ead1fbba01a76467d63c4a216cf2902 | 2020-07-22 | 2020-07-22 |
| HASH | 6cd06403f36ad20a3492060c9dc14d80 | 2020-07-22 | 2020-07-22 |
| HASH | 2cd1f7f17153880fd80eba65b827d344 | 2020-07-22 | 2020-07-22 |
| HASH | 71d8b4c4411f7ffa89919a3251e6e5cb | 2020-07-22 | 2020-07-22 |
| HASH | 81f8f0526740b55fe484c42126cd8396 | 2020-07-22 | 2020-07-22 |
| HASH | 7d80175ea344b1c849ead7ca5a82ac94 | 2020-07-22 | 2020-07-22 |
| HASH | f364b46d8aafff67271d350b8271505a | 2020-07-22 | 2020-07-22 |
| HASH | a93d1d5c2cb9c728fda3a5beaf0a0ffc | 2020-07-22 | 2020-07-22 |
| HASH | d2f94e178c254669fb9656d5513356d2 | 2020-07-22 | 2020-07-22 |
| HASH | 85dcea03016df4880cebee9a70de0c02 | 2020-07-22 | 2020-07-22 |
| HASH | e3dee2d65512b99a362a1dbf6726ba9c | 2020-07-22 | 2020-07-22 |
| HASH | e58cfbc6e0602681ff1841afadad4cc6 | 2020-07-22 | 2020-07-22 |
| HASH | 455997e42e20c8256a494fa5556f7333 | 2020-07-22 | 2020-07-22 |
| HASH | f0e87707fd0462162e1aecb6b4a53a89 | 2020-07-22 | 2020-07-22 |
| HASH | 1060702fe4e670eda8c0433c5966feee | 2020-07-22 | 2020-07-22 |
| HASH | ab09f6a249ca88d1a036eee7a02cdd16 | 2020-07-22 | 2020-07-22 |
| HASH | ed5458de272171feee479c355ab4a9f3 | 2020-07-22 | 2020-07-22 |
| HASH | 228998f29864603fd4966cadd0be77fc | 2020-07-22 | 2020-07-22 |
| HASH | f1ca9c730c8b5169fe095d385bac77e7 | 2020-07-22 | 2020-07-22 |
| HASH | fea3a39f97c00a6c8a589ff48bcc5a8c | 2020-07-22 | 2020-07-22 |
| HASH | 6a066cf853fe51e3398ef773d016a4a8 | 2020-07-22 | 2020-07-22 |
| HASH | a64b3278cc8f8b75e3c86b6a1faa6686 | 2020-07-22 | 2020-07-22 |
| HASH | bf2765175d6fce7069cdb164603bd7dc | 2020-07-22 | 2020-07-22 |
| HASH | 7e4e49d74b59cc9cc1471e33e50475d3 | 2020-07-22 | 2020-07-22 |
| HASH | 8e665562b9e187585a3f32923cc1f889 | 2020-07-22 | 2020-07-22 |
| HASH | ca250f3c7a3098964a89d879333ac7c8 | 2020-07-22 | 2020-07-22 |
| HASH | ab2a98d3564c6bf656b8347681ecc2be | 2020-07-22 | 2020-07-22 |
| HASH | b5d85cfaece7da5ed20d8eb2c9fa477c | 2020-07-22 | 2020-07-22 |
| HASH | 6145fa69a6e42a0bf6a8f7c12005636b | 2020-07-22 | 2020-07-22 |
| HASH | a7bda9b5c579254114fab05ec751918c | 2020-07-22 | 2020-07-22 |
| HASH | 582b9801698c0c1614dbbae73c409efb | 2020-07-22 | 2020-07-22 |
| HASH | 2b8ff2a971555390b37f75cb07ae84bd | 2020-07-22 | 2020-07-22 |
| HASH | 199b4c116ac14964e9646b2f27595156 | 2020-07-22 | 2020-07-22 |
| HASH | f50a0cd229b7bf57fcbd67ccfa8a5147 | 2020-07-22 | 2020-07-22 |
| HASH | 65632998063ff116417b04b65fdebdfb | 2020-07-22 | 2020-07-22 |
| HASH | 1e175231206cd7f80de4f6d86399c079 | 2020-07-22 | 2020-07-22 |
| IPv4 | 111.90.146.105 | 2020-07-22 | 2020-07-22 |
| IPv4 | 111.90.148.132 | 2020-07-22 | 2020-07-22 |
| IPv4 | 108.170.31.81 | 2020-07-22 | 2020-07-22 |
| IPv4 | 192.210.239.122 | 2020-07-22 | 2020-07-22 |
| IPv4 | 172.81.132.41 | 2020-07-22 | 2020-07-22 |
| IPv4 | 68.168.123.86 | 2020-07-22 | 2020-07-22 |
| IPv4 | 216.244.71.233 | 2020-07-22 | 2020-07-22 |
| HASH | e883bf5fd22eb6237eb84d80bbcf2ac9 | 2019-12-17 | 2020-07-22 |
| HASH | a99b7ef095f44cf35453465c64f0c70c | 2019-12-17 | 2020-07-22 |
| HASH | 982bf527b9fe16205fea606d1beed7fa | 2019-12-17 | 2020-07-22 |
| IPv4 | 107.172.197.175 | 2019-12-17 | 2020-07-22 |
| IPv4 | 172.93.201.219 | 2019-12-17 | 2020-07-22 |
| HASH | 0137f688436c468d43b3e50878ec1a1f | 2017-12-21 | 2020-07-22 |
Related Reports
Shares tag: MATA • Same author: Kaspersky
2021-03-23 •
47% Match
#MATA
#TFlower
#Lazarus
#T1070.004
#T1113
#T1112
#T1053.005
#T1036.005
#T1552.001
#T1486
#T1008
#T1573.001
#T1021.001
#T1562
#T1055.001
#T1021.002
#T1070.003
#T1021.004
#T1547.005
#T1572
#T1070.001
Shares tag: MATA • Shares 13 IOCs
Shares tag: MATA • Shares 2 IOCs
Shares tag: MATA
Shares tag: MATA