What’s new for North Korean hackers? Kaspersky says they’re polishing tools, finding new targets

North Korean government-linked hackers have been aggressively deploying a multi-stage malware framework for two years in a ploy to expand their target sets, according to Kaspersky.
Lazarus Group, apt37
Pyongyang, North Korea (Pixabay)

North Korean government-linked hackers have refined their malware tools and expanded their target lists over the past two years, according to new research from Kaspersky, which says the attackers have devoted “significant resources” to improving their capabilities.

In particular, the hackers have aggressively deployed a multi-stage malware framework — which Kaspersky calls MATA — to target Windows, Linux, and macOS operating systems. The framework is capable of deploying more than 15 malware components and has exhibited signs that it allows attackers to move laterally once they have compromised a target network, according to the research.

So far, the attackers have used MATA against a software development firm, an e-commerce company and an internet service provider, Kaspersky said. The list of affected countries includes Poland, Germany, Turkey, Japan and India, the researchers said.

Based on an analysis of the framework’s filenames and configuration, Kaspersky assesses that the scheme is linked with Lazarus Group, a hacking organization the U.S. government has attributed to the North Korean government. The use of MATA suggests a few things about how the group might be advancing its capabilities, said Seongsu Park, a senior security researcher at Kaspersky.


“This series of attacks indicates that Lazarus was willing to invest significant resources into developing this toolset and widening the reach of organizations targeted — particularly in hunting for both money and data,” Park said in a statement. “Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on.”

North Korean hackers have pulled off some noisy attacks, including the Sony and WannaCry incidents, but the level of polish that MATA suggests a more focused approach. Other researchers have examined some components in the framework before, but haven’t unveiled them as the simplified structure that Kaspersky identified. NetLab published a blog on portions of the Linux and Windows elements of the MATA framework last year, while Patrick Wardle, principal security researcher at Jamf, covered a similar macOS component in May.

Wardle told CyberScoop the revelation that those malware discoveries are part of a framework for Windows, Linux, and macOS shows the group may be working to simplify its targeting process, even if the hackers are not as skilled, overall, as other groups with nation-state support.

“Having a fully-featured cross-platform implant affords APT [advanced persistent threat] groups consistency across targets of different platforms,” Wardle told CyberScoop. “It shows a certain level of maturity and ‘sophistication’ of the APT group. Though their approaches (especially on macOS) are still not notably elegant.”

The MATA campaign began as early as April of 2018, according to Kaspersky, just months after Kim Jong-un emphasized in his New Year’s speech the effect of tough international sanctions against his regime and the need to build a self-reliant economy.


Mixed motivation

It’s not entirely clear what the hackers are using the framework for, but there are some clues their interests may be about gathering data or money, according to Kaspersky.

In one of the hackers’ MATA campaigns, for instance, the hackers deployed the MATA malware against an entity and then worked to steal its customer lists and databases, Kaspersky said.

In another instance, the hackers deployed ransomware against a target using MATA, suggesting a financial motive. The use of ransomware could also indicate the hackers are interested in causing disruption.

Kaspersky did not reveal the name of the victims or whether the second victim paid the ransom, but the themes of each attack were consistent with espionage-focused and financially focused hacking campaigns typical of Lazarus Group, which has been hacking for years now to fill regime coffers in light of economic sanctions.


In linking the MATA activity to Lazarus Group, the researchers pointed to specific configurations and filenames. Some of the framework, for instance, uses two unique filenames that have only previously been seen in variants of a malware family, Manuscrypt, which the U.S. government has linked with Lazarus Group, Kaspersky said. Some of the filenames also mimic those described in a U.S. government malware analysis report from the FBI and the Department of Homeland Security that describes Manuscrypt, according to Kaspersky.

Manuscrypt has been used in the past to hit diplomatic targets in South Korea, virtual currencies, and electronic payment systems. Last year, the Treasury Department sanctioned the attackers behind Manuscrypt, which also typically go after global financial entities and the Society for Worldwide Interbank Financial Telecommunication (SWIFT) monetary transfer system.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts