Metador Threat Group Targets Telcos, ISPs, and Universities

A never-before-seen advanced threat actor dubbed Metador is targeting telecommunications, internet service providers and universities in several countries in the Middle East and Africa for cyberespionage.

See Also: OnDemand | Understanding Human Behavior: Tackling Retail’s ATO & Fraud Prevention Challenge

SentinelLabs researchers uncovered that the operators behind Metador were aware of “operations security, managing carefully segmented infrastructure per victim and quickly deploying intricate countermeasures in the presence of security solutions” and provide long-term access into networks in multiple redundant ways.

“We dubbed this threat actor ‘Metador’ in reference to the string “I am meta” in one of their malware samples and the expectation of Spanish-language responses from the command-and-control servers,” researchers say.

Critical Findings

Researchers found two different Windows-based malware platforms called metaMain and Mafalda mainly used by Metador for operating entirely in-memory and eluding native security detection.

metaMain is a feature-rich backdoor, say SentinelLabs researchers. However, in this case, Metador operators used its implant to decrypt a subsequent modular framework called Mafalda into memory, which is a feature-rich backdoor.

Researchers say that metaMain implant enables long-term access to compromised machines and provides operators with functionality such as keyboard and mouse event logging, screenshot theft, file download and upload, and the ability to execute arbitrary shellcode.

Mafalda is an interactive implant, supporting over 60 commands and a highly-valuable asset to the Metador operators, with newer variants exhibiting intense obfuscation making them challenging to analyze.

“The internal versioning of Mafalda suggests that this platform has been in use for some time, and its adaptability during our engagement alone highlights active and continuing development,” researchers say.

They also uncovered indications of additional implants including:

• Cryshell, a custom implant used for bouncing connections in an internal network to external command-and-control servers.
• An unknown Linux malware used to pilfer materials from other machines in the target environment and route their collection back to Mafalda.

SentinelLabs researchers say it is a ‘garbled mystery’ while attributing Metador and that they encountered multiple languages, with diverse idiosyncrasies indicative of multiple developers.

“Traces point to multiple developers and operators that speak both English and Spanish, alongside varied cultural references including British pop punk lyrics and Argentinian political cartoons,” according to SentinelLabs researchers Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski.

They also uncovered that the Mafalda implant provides similar functionalities to metaMain and is an actively maintained, ongoing project. SentinelLabs researchers observed two key variants of the Mafalda backdoor ‘Clear Build 144’ and ‘Obfuscated Mafalda variant.’

This Obfuscated Mafalda variant extends supported commands from 54 to 67 and is rife with anti-analysis techniques.

Researchers also found that the Mafalda prints encrypted debugger messages if the name of the host is WIN-K4C3EKBSMMI, possibly indicating the name of the computer used by the developers.

This Mafalda backdoor is an ongoing project, researchers say. They have seen a total of 67 commands, with 13 of these added in the newer variant.

Some of the interesting commands in the newer Mafalda variant include:

• Command 55: It copies a file or directory from an attacker-provided source filesystem location to an attacker-provided destination file system location.
• Command 60: It reads the content of %USERPROFILE%AppDataLocalGoogleChromeUser DataLocal State and sends them to the command and control with a name prefixed with loot.
• Command 63: This command conducts network and system configuration reconnaissance.
• Command 67: This helps retrieves data from another implant that resides in the victim’s network and sends the data to the C2.

Mafalda commands include credential theft, data and information theft, command execution, system registry and file system manipulation and Mafalda reconfiguration.

Researchers also observed that the operators behind the Metador intrusions use a single external IP address per victim network and are utilized for command-and-control over either HTTP or raw TCP. However, in all these instances, the servers were hosted on LITESERVER, a Dutch hosting provider.