Skip to content ↓ | Skip to navigation ↓

The Lazarus Group (also known as Guardians of Peace or Whois) is a notorious cybercrime gang made up of unknown individuals. According to the United States Federal Bureau of Investigations, the group is a North Korean “state-sponsored hacking organization.”

However, some believe that their connections to North Korea might be a false flag intending to hide their true origins. The Lazarus Group has been responsible for many cyberattacks over the last decade, with the latest being a series of attacks targeting businesses in Poland, Germany, Turkey, South Korea, Japan and India with multi-platform malware framework attacks.

The potential payoff of a well-orchestrated malware attack has grown due to the growth of sensitive data stored in computers and the widespread use of digital currencies. It has been reported that a tenth of ransomware attacks involve some form of data theft, which is especially effective when used against large companies or governments charged with protecting the public’s data.

Although cryptocurrencies are generally thought of as safe due to their highly encrypted use of blockchain technology, state-sponsored digital currencies may have the potential to be surveilled. In this new era of nation-state attacks, motivated by either financial, political or military goals, users must have a heightened sense of vigilance with everything they do online.

In this article, we’ll dive into what you need to know about malware attacks and how multi-platform frameworks are different from standard malware attacks. We’ll touch upon common ways that malicious hackers avoid detection and what you can do to protect your business against them.

What do we know about the Lazarus Group?

It is very difficult to know definite details about the highly anonymous and stealthy cybercriminal group, also referred to as Hidden Cobra. Their highly developed attacks, however, have been studied by researchers in detail and linked back to Lazarus via an IP address. The Lazarus Group first emerged as a threat when the group launched a DDoS attack against the South Korean government between 2009 and 2012 known as “Operation Troy.”

A more publicized attack occurred again in 2014 against Sony Pictures, which leaked scripts, confidential data and movies before their release date. This attack was more sophisticated in nature and showed how the group had evolved over time. The leaders behind the attack claimed that the reason behind the attack was to stop the release of the movie “The Interview,” starring Seth Rogen and James Franco. The comedy had a less than complimentary depiction of the North Korean ruler Kim Kung-Un, which was the cause of the targeted hack.

The Lazarus Group has also been credited with stealing over $155 million in USD from banks all over the world, mainly in Vietnam, Mexico, Poland, Ecuador and Bangladesh. The group has shifted their focus to mainly surveillance and spying, but they still do have a branch of hackers focused solely on financial cyber attacks known as Bluenoroff.

What’s so special about a multi-platform malware framework?

The Lazarus Group created a multi-platform malware framework to steal sensitive customer information by infecting three major operating systems – Windows, macOS, and Linux. Known as the MATA malware framework, this malware is particularly vicious as it is programmed to perform a number of activities on infected computers. According to security firm Kaspersky Labs, who discovered the MATA framework, multi-platform malware is rare as their development requires significant skills and funding. The malware was exposed just this summer, but experts believe it was active as far back as spring of 2018.

The Windows version of MATA consists of a loader used to load an encrypted next-stage payload called “lsass.exe.” This orchestrator module is capable of loading 15 additional plugins at the same time and executing them in memory. These plugins have specific features that allow the malware to manipulate files and system processes, inject DLLs, and create an HTTP proxy server.

These MATA plugins also allow malicious hackers to target Linux-based network devices such as routers, firewalls or IoT devices, and macOS systems by imitating an app called MinaOTP, an open-source two-factor authentication application. Once the plugins are settled in, the malicious hackers then try to locate databases that store sensitive information. MATA frameworks are also capable of issuing VHD ransomware to their victim’s compromised devices.

Malware can be secretly bundled in with other software that is downloaded, it can infect users that visit certain websites that are already infected with malware, or it can be disguised as a pop-up encouraging users to click on a button that will initiate a download. A common strategy cybercriminals like to use is sending out phishing emails that contain email attachments, seemingly from a reputable company, that ask them to click on links and download hidden malware files.

What do I do if my business has been the subject of a malware attack?

If the battery on your business devices drains quickly and the performance of the device is slow and sluggish, you may have one too many apps running in the background, or it could be malware slowly taking over your device. Strange pop-ups, an abnormal increase of data usage and strange items on your phone bill are all signs of malware.

If you suspect that your device is infected with malware, you need to take quick action to remove it completely. First, disconnect from the internet immediately and inform your IT support team if you have one. If you know which file or app is responsible for the virus, you can remove it on your own or trust an IT professional in your team to respond to it. However, this is a tricky process, as it’s coded to prevent you from removing them, which can cause frustration.

How can I protect my business from malware attacks like MATA?

Regardless of the purpose of the malware and how it got there, it’s never good news. Thankfully, there are a couple of simple but effective ways to protect yourself, your business, and your staff against malware attacks like the MATA framework.

Many of these strategies are also effective in protecting your business, staff, and data against a wide range of cyberattacks, and not just MATA. In order to achieve the best protection possible, however, you will need to take a full-spectrum approach to defense. Let’s run through the most important elements of this:

  1. Inventory your assets. You can only protect your assets effectively if you know what you are protecting. The first and most important part of any cyber security strategy is therefore to inventory which hardware and software assets are connected to your network. As we’ve pointed out elsewhere, using passive discovery can be an effective way of doing this.
  2. Think twice before clicking. A significant proportion of cyberattacks are instigated via phishing messages that encourage victims to click on a malicious link. Though it may sound like a fairly basic way of protecting yourself, staying vigilant when it comes to your messages can dramatically reduce your exposure to this kind of attack. There is a golden rule here: don’t click on a suspicious link, regardless of who it comes from.
  3. Educate your users. If you are managing a team, it’s important to make sure they also follow best practices when it comes to cybersecurity. You will need to educate your users about the most common types of phishing attacks that are in circulation and share some basic strategies on how to avoid them. Equally as important is to teach them about basic web security. Using a secure browser when surfing the web will warn them when HTTPS isn’t being used and protect you from stumbling across phishing sites.
  4. Patch and keep your software up to date. Everyone knows that they should keep their software up to date, but too few of us do. The fact is that a lot of software ships with zero-day vulnerabilities that need to be patched in order to be secure. You should also make sure that your vulnerability management covers all of your connected software assets so that your security professionals can prioritize their remediation and mitigation efforts accordingly.
  5. Last but definitely not least, use strong passwords. Weak passwords are still a major cause of vulnerability, and access to fairly innocuous systems can be used to leverage more sophisticated attacks. That’s why you should use and enforce strong, unique passwords for all accounts.

These steps are, of course, just the beginning. Unfortunately, there is no 100% guarantee that your business will ever be completely safe from falling in the hands of the Lazarus Group and becoming a victim of their multi-platform malware system attacks or any other cyberattacks, but by being more aware of the nature surrounding these attacks and what you can do to protect your business, you can reduce your risk and close any exposed holes that make you vulnerable to malware attacks.


About the Author: Gary Stevens is an IT specialist who is a part-time Ethereum dev working on open source projects for both QTUM and Loopring. He’s also a part-time blogger at Privacy Australia, where he discusses online safety and privacy.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.