Sygnia deploys top talent and implements the operational art of elite military units, digital combat experience, and a deep understanding of attackers to secure organizations.
Since its first public identification in September of 2019, very little information has been made public about the TFlower ransomware group.
In a recent TFlower hybrid ransomware attack investigated by Sygnia, the threat actor leveraged a previously unknown advanced backdoor to distribute the TFlower ransomware across the network.
The backdoor and its infrastructure were analyzed by the Sygnia Incident Response team, leading to identifying significant attributes it shares with the MATA malware framework reported by Kaspersky on July 22, 2020, and by Netlab on December 19,2019. These similarities led Sygnia to assess that the backdoor was part of the MATA malware framework.
The Netlab and Kaspersky publications linked the MATA malware framework with the Lazarus Group (also known as Hidden Cobra). This, together with our findings, raises the possibility that the Lazarus Group is either the group behind TFlower or has some level of collaboration in operations or capabilities with it. Alternatively, the group may be masquerading as TFlower for some of its ransomware operations.
This report details the anatomy of the MATA backdoor, including a wider threat research which revealed over 200 MATA malware framework C2 certificates leveraged since May of 2019 across over 130 IP addresses.
1. TFlower leverages or has ties to the MATA malware framework
The MATA backdoor was leveraged to deploy the TFlower ransomware. The threat group consistently referred to themselves as the “TFlower group”.
2. The MATA malware framework is active and widespread
Since at least May of 2019, MATA operators have continuously utilized new servers, with over 130 IPs linked to the frameworks’ C2. The analysis indicates that the group has possibly deployed over 200 command and control servers over time, with the latest one identified on November 3, 2020.
3. The threat actor is highly capable and implements systematic detection evasion techniques
Throughout the attack, the threat actor leveraged multiple tools including the MATA backdoor to systematically clear forensic evidence and attempt to evade detection by identifying and tampering with security products.
The MATA backdoor consists of three file components: .EXE, .DLL and .DAT files, deployed in the “C:\Windows\System32” directory. All file names and hashes are unique per infected host indicating automatically generated polymorphic malware. The components are as follows:
1. Initial loader (EXE) — The malware is initially loaded by a .EXE file, which upon execution injects the .DLL loader component into an ‘svchost.exe’ process and modifies the LSA Security Package registry key to achieve persistence.
2. Loader (DLL) — The loader decrypts and executes the payload component stored in the .DAT file. It is loaded by ‘lsass.exe’ upon reboot to achieve persistence.
3. Payload (DAT) — The payload is an encrypted binary .DAT file which implements the backdoor functionality.
Once deployed, the backdoor provides the threat actor with remote code execution capability on infected machines via C2 servers. Additional functionality includes screen capture and network traffic tunneling.
The backdoor is deployed by executing the initial loader with the .DLL and .DAT file paths as arguments, injecting the .DLL file into ‘svchost.exe’ and loading the .DAT payload. The initial loader’s file name consists of 5 alphabetic characters, randomly generated on each of the machines (‘[A-Za-z]{5}\.exe’).
Upon execution, the initial loader modifies the following registry value in order to achieve persistency: “HKLM\SYSTEM\ CurrentControlSet\Control\Lsa\Security Packages”. The value modified is part of a Windows API called ‘Security Support Provider’ (SSP), which is used to extend the Windows authentication mechanism. After adding a .DLL stored in System32 to the ‘Security Packages’ value, ‘lsass.exe’ will automatically load the .DLL component on system startup or the next time the AddSecurityPackage Windows API function is called.
The file name of the .DLL consists of six alphabetic characters, the middle two being “nm” matching the following pattern: ‘[A-Za-z]{2}nm[A-Za-z]{2}\.dll’. Similar to the .EXE component, the name is unique on each of the infected machines. The .DLL itself implements limited functionality, and its main purpose is decrypting, loading and executing the final payload stored in the .DAT file.
The final payload stored in the .DAT file is a fully functional backdoor, establishing a command and control channel to the threat actors’ servers. Similarly to the other components, its name was unique on each of the infected machines and followed a specific pattern: ‘srms-[A-Za-z]{3}[0-9]{4,5}\.dat’.
Each of the samples identified by the Sygnia Incident Response team attempted to communicate to three command and control servers over SSL using port 443. The C2 servers were found in an encrypted binary configuration blob hardcoded into the .DAT payload. Each of the servers hosted a unique certificate, self-signed by the threat actor. Although the certificates on each of the servers were unique, they all shared similar technical features:
The certificate “Validity: Not Before” timestamp is especially interesting, because the samples were first deployed in the network just several hours after the “Validity: Not Before” timestamp of their corresponding certificates. This could indicate that C2 servers are dynamically deployed for a specific operation, and the certificates are issued accordingly.
To further validate the ties between the MATA framework and the suspicious certificates, we attempted to tie other confirmed command and control servers to similar certificates. Out of 20 IPs found across 8 samples found in online repositories, 18 were confirmed to have historically hosted certificates with similar patterns.
Using the unique certificate patterns, Sygnia identified over 200 certificates and over 130 IP addresses affiliated with the MATA framework, starting as early as 2019.
Further analysis identified that as of June, 2020 the threat actor slightly modified the self-signed certificates pattern. Specifically, the following was changed:
At the time of publication, the latest certificates found were issued on November 3, 2020. The large number of certificates and C2 servers deployed over such a prolonged period of time suggests a well-resourced group with robust operational capabilities, likely attacking multiple targets simultaneously.
The backdoor and its infrastructure share significant attributes with the MATA malware framework:
Several other vendors, including Kaspersky and Netlab, linked the MATA framework to the Lazarus group, a threat actor affiliated with the North Korean government.
The MATA certificates “Validity: Not Before” timestamps are potentially indicative of the threat actor's work week, Monday to Saturday, as no certificates were issued on Sunday. Furthermore, no certificates were issued between 16:00 to 22:00 UTC, correlating with nighttime in UTC +9 or UTC +8 time zones. The vast majority of certificates were issued during working hours in the abovementioned time zones, suggesting the threat actor is most likely operating from East-Asia.
The TFlower ransomware campaign was covered by several technology news websites between September and November of 2019. However, since then very little information has been made public about the ransomware group or its operations.
In a recent TFlower ransomware case investigated by Sygnia, the threat actors had already removed all instances of the ransomware executable and it could not be recovered for reverse engineering. Nevertheless, forensic analysis performed identified several technical indications linking the encryption with the TFlower group with high certainty.
Analysis of the encrypted machines identified that the ransomware executable was deployed and executed using the MATA backdoor. Specifically, the path to the ransomware executable was found within the MATA backdoor memory space on encrypted machines. This raises the possibility that the Lazarus Group, which is largely affiliated with the North Korean government, is either the group behind TFlower or has some level of collaboration with it.
Alternatively, and although there are significant similarities to the TFlower ransomware, it is still possible that the threat actor was only masquerading as the TFlower group.
The research into MATA framework operations was done primarily in the service of preventing future attacks. Our understanding of the threat actors behind these malicious operations reveals a large dynamic operation which can prove difficult to contain or easily detect.
The following are specific tactical recommendations which compliment more general security measures that can protect against these types of an attacks:
- Registry Key: “HKLM\\Software\\Microsoft\\[A-Za-z]{3}Net”
- Registry Key: “HKLM\\System\\CurrentControlSet\\control\\LSA”
- .EXE file component – “C:\\Windows\\System32\\[A-Za-z]{5}\.exe”
- .DLL file component – “C:\\Windows\\System32\\[A-Za-z]{2}nm[A-Za-z]{2}\.dll”
- .DAT file component – “C:\\Windows\\System32\\srms\-[A-Za-z]{3}\d+\.dat”
1. Persistence
2. Defense Evasion
3. Credential Access
4. Lateral Movement
5. Collection
6. Command and Control
7. Impact
Contributors: Amitai Ben Shushan, Noam Lifshitz and Boaz Wasserman.