A previously unknown threat actor that researchers have named ‘Metador’ has been breaching telecommunications, internet services providers (ISPs), and universities for about two years.
Metador targets organizations in the Middle East and Africa and their purpose appears to be long-term persistence for espionage. The group uses two Windows-based malware that have been described as “extremely complex” but there are indications of Linux malware, too.
Researchers at SentinelLabs discovered Metador in an telecommunications company in the Middle East that had already been breached by about ten other threat actors originating from China and Iran, among them Moshen Dragon and MuddyWater.
Analysis of the malware and the infrastructure did not reveal clues to attribute Metador with sufficient confidence, one characteristic of the group being that it is “highly aware of operations security.”
SentinelLabs notes in their report that Metador is “managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions.”
The researchers discovered the new threat group after the victim organization deployed Singularity, SentinelOne’s extended detection and response (XDR) solution months after Metador compromised its network.
Thus, details about the initial infection vector are not available. The two Windows-based malware frameworks, dubbed ‘metaMain’ and ‘Mafalda’, run in only in system memory, leaving no unencrypted trace on the compromised host.
The custom implants were decrypted and loaded in memory through “cdb.exe,” the debugging tool in Windows – used in this attack as a LoLBin (living-off-the land binary) – to decrypt and loading in memory the two custom ‘metaMain’, and ‘Mafalda’, two custom Windows malware frameworks.
Mafalda is a versatile implant that can accept up to 67 commands, while its multi-layered obfuscation makes it difficult to analyze in detail.
The commands include file operations, reading contents of directories, manipulate the registry, reconnaissance of the network and the system, and exfiltrating data to the command and control (C2) server.
Mafalda is likely developed by a dedicated team of authors, as SentinelLabs saw comments in the code addressed to the operators.
The metaMain implant is used for more “hands-on” operations, like taking screenshots, performing file actions, logging keyboard events, and supports arbitrary shellcode execution.
While the CBD approach was used in the observed case to initiate the execution flow, metMain supports additional methods described in greater detail in SentinelLabs’ technical report.
By digging deeper, the analysts found indications of a custom implant used for internal network bouncing named ‘Cryshell’ and an unnamed Linux tool that steals data from workstations and channels them back to Mafalda.
SentinelLabs isn’t sure if Cryshell and the Linux implant are different but underscore a difference in the port-knocking and handshake procedure during authentication with Mafalda, pointing to two distinct tools.
The custom implants and strict segmentation of the attack infrastructure (using a single IP address per victim and malware build) makes tracking Metador particularly challenging.
Combined with the use of malware that runs entirely in memory and LoLBins, this allows the threat actor to stay hidden on victim networks for long periods without raising the suspicion of a compromise.
However, despite these difficulties, SentinelLabs’ investigation revealed that some metaMain samples dated since late December 2020, according to the timestamp in the execution log.
Moreover, the complexity of the malware and its active development point to a well-resourced group that can improve the tools further.
The researchers also found that the developers had documented the malware frameworks and provided “guidance for a separate group of operators.”
Clues in the language used indicate that the developers are fluent in English, each with their indiosyncrasies; however the developer team is likely to have non-native English speakers. Spanish was also present in the code for Mafalda, referencing the homonymous cartoon in Argentina.
Based on the documentation for Mafalda’s commands, it appears that a dedicated team develops the malware and a different group is operating it.
Linguistic and cultural breadcrumbs are insufficient for clear attribution in this case. However, SentinelLabs researchers theorize that behind Metador is “a high-end contractor arrangement,” like one typical for a nation-state operation.