A previously undetected hacking group, tracked as Metador, has been targeting telecommunications, internet services providers (ISPs), and universities for about two years.
SentinelLabs researchers uncovered a never-before-seen threat actor, tracked as Metador, that primarily targets telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.
The experts pointed out that the attack chains employed by the threat actors are designed to bypass native security solutions while deploying malware platforms directly into memory. The attackers are highly aware of operations security, they are able to manage carefully segmented infrastructure per victim, and were observed quickly deploying intricate countermeasures in the presence of security solutions.
The experts reported that a telecommunications company targeted by Metador had already been breached by nearly ten threat actors originating from China and Iran, including Moshen Dragon and MuddyWater.
SentinelLabs discovered two windows malware platforms, dubbed ‘metaMain’ and ‘Mafalda,’ and evidence of the existence of an additional Linux implant.
The attackers used the Windows debugging tool “cdb.exe” to decrypt and load both malware in memory.
Mafalda is a flexible implant that supports up to 67 commands, it was continuously upgraded by the threat actors, and the newer variants of the threat are highly obfuscated.
Below are some of the commands detailed by SentinelLabs:
- Command 55 – Copies a file or directory from an attacker-provided source filesystem location to an attacker-provided destination file system location.
- Command 60 – Reads the content of%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Local State and sends the content to the C2 with a name prefixed with
- Command 63 – Conducts network and system configuration reconnaissance
- Command 67 – Retrieves data from another implant that resides in the victim’s network and sends the data to the C2
The researchers that when the TCP KNOCK communication method is enabled, the metaMain and Mafalda implants can establish an indirect connection to the C2 server through another implant internally referred to as ‘Cryshell’. Both malware authenticates themselves to Cryshell through a port-knocking and handshake procedure.
“Mafalda authenticates itself to Cryshell Mafalda authenticates itself to Cryshell Mafalda also supports retrieval of data from Linux machines with another implant that sends data to the C2 as part of a packet with a name prefixed with loot_linux. Though it’s possible that this unnamed Linux implant and Cryshell are the same, Mafalda authenticates itself to the Linux implant through a different port-knocking and handshake procedure.” reads the analysis published by the researchers.
The analysis of the C2 infrastructure revealed that Metador uses a single external IP address per victim network, which is utilized for command-and-control over either HTTP (metaMain, Mafalda) or raw TCP (Mafalda). In all confirmed intrusions, the C2 servers were hosted on the Dutch hosting provider LITESERVER.
“In addition to HTTP, external Mafalda C2 servers also support raw TCP connections over port 29029. We also observed some of Metador’s infrastructure host an SSH server at an unusual port. While SSH is commonly used for remote access to *nix systems, we find it hard to believe that a mature threat actor would expose their infrastructure in such a way. Instead, it’s likely those were used to tunnel traffic through Mafalda’s internal portfwd commands.” continues the analysis.
Who is behind Metador?
At this time, the experts are not able to attribute the activity to a known APT group, however, researchers argue that behind it could be linked to “a high-end contractor arrangement.”
“Running into Metador is a daunting reminder that a different class of threat actors continues to operate in the shadows with impunity.” concludes the report.
The complete analysis is available here:
(SecurityAffairs – hacking, APT)