Updated MATA attacks industrial companies in Eastern Europe
Contents
In early September 2022, we discovered several new malware samples belonging to the MATA cluster. As we were collecting and analyzing the relevant telemetry data, we realized the campaign had been launched in mid-August 2022 and targeted over a dozen corporations in Eastern Europe from the oil and gas sector and defense industry.
The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser. Each phishing document contains an external link to fetch a remote page containing a CVE-2021-26411 exploit. The attackers continued to send malicious documents via email until the end of September 2022. Overall, the campaign remained active over 6 months, until May 2023.
The infection chain
After analyzing the timeline and functionality of each malware, we have determined the infection chain of the campaign, although some parts remain unknown due to limited visibility. The attacker …
The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser. Each phishing document contains an external link to fetch a remote page containing a CVE-2021-26411 exploit. The attackers continued to send malicious documents via email until the end of September 2022. Overall, the campaign remained active over 6 months, until May 2023.
The infection chain
After analyzing the timeline and functionality of each malware, we have determined the infection chain of the campaign, although some parts remain unknown due to limited visibility. The attacker …