In early September 2022, we discovered several new malware samples belonging to the MATA cluster. As we were collecting and analyzing the relevant telemetry data, we realized the campaign had been launched in mid-August 2022 and targeted over a dozen corporations in Eastern Europe from the oil and gas sector and defense industry.
The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser. Each phishing document contains an external link to fetch a remote page containing a CVE-2021-26411 exploit. The attackers continued to send malicious documents via email until the end of September 2022. Overall, the campaign remained active over 6 months, until May 2023.
The infection chain
After analyzing the timeline and functionality of each malware, we have determined the infection chain of the campaign, although some parts remain unknown due to limited visibility. The attacker employed a combination of loader, main trojan, and stealer infection chains similar to those used by the previous MATA cluster and updated each malware’s capabilities. Moreover, they introduced a process to validate compromised victims to ensure careful malware delivery.
The new MATA infection chain
Incident investigation
A turning point in the investigation was the discovery of two MATA samples that had internal IP addresses set as C&C server addresses. Attackers often create a chain of proxy servers within a corporate network to communicate between the malware and C&C, for example, if the infected system does not have direct access to the internet. Of course, we have seen this before, but in this case the malware co ..
Support the originator by clicking the read the rest link below.
