PHOENIX–Researchers have identified a previously unknown, high line attack group that has compromised telcos, universities, ISPs, and other organizations across the MIddle East and Africa using custom malware platforms and tools that have been in play for many years. It’s not clear yet where the group originates from or whether it is affiliated with a government or is a private actor.
The group has been operating for some time, but researchers at SentinelLabs only just discovered its activities recently while investigating a series of intrusions at one organization. That organization had been compromised by several separate APT groups, including Chinese and Iranian teams, and researchers discovered that a new actor, known as Metador, was also in the environment and had deployed several custom pieces of malware, including Linux implants. The new threat group is highly skilled, has shown the ability to evade security tools, and uses unique infrastructure for different victims. Metador is mainly focused on cyber espionage and SentinelLabs researchers say it’s possible the actor is a high level contractor rather than an intelligence agency or other state entity.
“Metador is notable precisely in their pragmatic combination of rudimentary techniques (e.g. LOLbins) with carefully executed advanced techniques (like per victim infrastructure segmentation, port knocking, and inscrutable custom anti-analysis techniques). Their operations are massively successful precisely in that they’ve eluded victims, defenders, and threat intel researchers until now despite maintaining these malware platforms for some time,” said Juan Andres Guerrero-Saade, senior director of SentinelLabs at SentinelOne.
“At this time, there’s no clear sense of attribution. Traces point to multiple developers and operators that speak both English and Spanish, alongside varied cultural references. We encountered multiple languages, with diverse idiosyncrasies indicative of multiple developers. There are indications of a separation between developers and operators. And despite a lack of samples, the version history for at least one of the platforms suggests a history of development that extends far beyond the intrusions we’ve uncovered.”
Guerrero-Saade unveiled the new research into Metador at the LabsCon conference here Thursday.
The two main pieces of malware that SentinelLabs discovered on Windows machines are called metaMain and Mafalda, and they both operate only in memory. Matador maintains very tight operational security and uses a single IP address and build for each victim. Guerrero-Saade said the actor is well aware of common Windows security tools and has shown the ability to adapt quickly when new tools are deployed on a compromised system. The researchers were not able to determine the initial infection vector for any of the machines that Metador compromised.
“Once on the target, the Metador operators can choose between multiple execution flows to load one or more of their modular frameworks. For example, the execution flow used on our Magnet of Threats combines a WMI persistence mechanism with an unusual LOLbin in order to kick off the decryption of a multi-mode implant we named ‘metaMain’ directly into memory,” Guerrero-Saade said.
“Even though metaMain is a fairly feature-rich backdoor, in this case the Metador operators used the metaMain implant to decrypt a subsequent modular framework called ‘Mafalda’ into memory. Mafalda is a flexible interactive implant, supporting over 60 commands.”
Mafalda looks to be a key part of Metador’s arsenal, and the actor takes great care to protect it and prevent it from being detected by security tools. The backdoor implant has gone through many versions, and Guerrero-Saade said the actor is still actively developing and maintaining Mafalda. The researchers saw indications of some other Metador implants, as well, but were not able to find the malware variants themselves. One of those implants is called Cryshell, and the other is an unnamed Linux-based tool.
The Metador actors host their command-and-control servers at a Dutch hosting provider. “Being a highly OPSEC aware actor, Metador manages their infrastructure rather carefully. Throughout the analysis of Metador infrastructure, much like its implants, we found no obvious overlaps with previously reported actors,” Guerrero-Saade said.
“In all Metador intrusions we’ve observed so far, the operators use a single external IP address per victim network at a time. That IP is utilized for command-and-control over either HTTP (metaMain, Mafalda) or raw TCP (Mafalda).”
The earliest timestamp in a metaMain sample that the SentinelLabs researchers discovered was Dec. 29, 2020. Guerrero-Saade said that although there are no concrete indications of who Metador is, the actor is clearly well-resourced and skilled.
“The limited number of intrusions and long-term access to targets suggests that the threat actor's primary motive is espionage. Moreover, the technical complexity of the malware utilized and its continuous active development suggests a well-resourced group, not only in a position to acquire multiple frameworks but also maintain and develop them further. Internal comments support that claim, as the developers provide guidance for a separate group of operators,” he said.
Metador so far has only been seen on a small number of victim networks, most of which are ISPs, telecom companies, or universities, all of which are common targets for APTs.