Metador Threat Group Targets Telcos, ISPs and UniversitiesAdversaries Provide Long-Term, Redundant Access Into Networks
A never-before-seen advanced threat actor dubbed Metador is targeting telecommunications, internet service providers and universities in several countries in the Middle East and Africa for cyberespionage.
SentinelLabs researchers uncovered that the operators behind Metador were aware of "operations security, managing carefully segmented infrastructure per victim and quickly deploying intricate countermeasures in the presence of security solutions" and provide long-term access into networks in multiple redundant ways.
"We dubbed this threat actor 'Metador' in reference to the string "I am meta" in one of their malware samples and the expectation of Spanish-language responses from the command-and-control servers," researchers say.
Researchers found two different Windows-based malware platforms called metaMain and Mafalda mainly used by Metador for operating entirely in-memory and eluding native security detection.
metaMain is a feature-rich backdoor, say SentinelLabs researchers. Metador operators used its implant to decrypt a subsequent modular framework called Mafalda into memory. Mafalda is also a feature-rich backdoor.
The researchers say the metaMain implant enables long-term access to compromised machines and provides operators with functionality such as keyboard and mouse event logging, screenshot theft, file download and upload, and the ability to execute arbitrary shellcode.
Mafalda is an interactive implant, supporting over 60 commands and a highly valuable asset to the Metador operators, with newer variants exhibiting intense obfuscation, making them challenging to analyze.
"The internal versioning of Mafalda suggests that this platform has been in use for some time, and its adaptability during our engagement alone highlights active and continuing development," researchers say.
They also uncovered indications of additional implants, including:
- Cryshell, a custom implant used for bouncing connections in an internal network to external command-and-control servers;
- An unknown Linux malware used to pilfer materials from other machines in the target environment and route their collection back to Mafalda.
The researchers say attributing Metador was a "garbled mystery" and that they encountered multiple languages with diverse idiosyncrasies indicative of multiple developers.
"Traces point to multiple developers and operators that speak both English and Spanish, alongside varied cultural references including British pop punk lyrics and Argentinian political cartoons," according to SentinelLabs researchers Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski.
They also uncovered that the Mafalda implant provides similar functionalities to metaMain and is an actively maintained, ongoing project. The researchers observed two key variants of the Mafalda backdoor - the "Clear Build 144 and Obfuscated Mafalda variant."
The Obfuscated Mafalda variant extends supported commands from 54 to 67 and is rife with anti-analysis techniques.
Researchers also found that Mafalda prints encrypted debugger messages if the name of the host is WIN-K4C3EKBSMMI, possibly indicating the name of the computer used by the developers.
This Mafalda backdoor is an ongoing project, researchers say. They have seen a total of 67 commands, and 13 of them were added in the newer variant.
Some of the interesting commands in the newer Mafalda variant include:
- Command 55, which copies a file or directory from an attacker-provided source filesystem location to an attacker-provided destination file system location;
- Command 60, which reads the content of %USERPROFILE%AppDataLocalGoogleChromeUser DataLocal State and sends it to the command and control with a name prefixed with "loot";
- Command 63, which conducts network and system configuration reconnaissance;
- Command 67, which helps retrieves data from another implant that resides in the victim's network and sends the data to the C2.
Mafalda commands include credential theft, data and information theft, command execution, system registry and file system manipulation and Mafalda reconfiguration.
Researchers also observed that the operators behind the Metador intrusions use a single external IP address per victim network that is used for command and control over either HTTP or raw TCP. The servers were hosted on LITESERVER, a Dutch hosting provider, they found.