Posted on September 26, 2022 at 7:22 AM

SentinelLabs researchers detect new threat actors lurking in ISPs since 2020

Researchers have detected a new threat actor compromising internet service providers (ISPs), universities, and telecommunications for around two years. The recently discovered threat actor has been named “Metador.”

New threat actor, Metador, uncovered

Metador is a threat actor that targets organizations operating in Africa and the Middle East. The threat actor seems to be a long-term espionage attack. Metador adopts two Windows-based malware, which researchers say are “Extremely complex. There are also indications that the Linux malware could have also been used.

Researchers at SentinelLabs detected the Metador malware. The malware was identified in a telecommunications company in the Middle East. The telecommunications company had previously been targeted by around ten other threat actor groups based in Iran and China, including MuddyWater and Moshen Dragon.

When an analysis of this malware and its underlying infrastructure was conducted, it did not reveal any clues linking it to Metador to high confidence. Instead, one of the features of the group is that it is aware of the operations security.

SentinelLabs also adds that Metador managed segmented infrastructure for each victim in its report. Moreover, it also quickly deployed countermeasures when security solutions were deployed.

Researchers identified the new threat actor group after the victim organization deployed Singularity. Singularity is an extended detection and response (XDR) offered by SentinelOne. The solution was offered months after Metador had compromised the organization’s network.

Given that the XDR was deployed after the malware was already distributed, the data on the initial infection vector is unavailable. The two malware frameworks that run on Windows, MetaMain, and Mafalda, operate in the system memory and do not leave any trace on the affected host.

The custom implants for the malware were also decrypted, and the v” cbd.exe” debugging tool was used to load them into memory to decrypt and load in memory “MetaMain” and Mafalda” custom Windows malware frameworks.

Mafalda is an implant that accepts a maximum of 67 commands. It is also stealth in operation, making it hard to analyze it in detail. The malware commands include file operations, accessing directory content, transferring data to the command and control server, and exploiting the registry. 

According to SentinelLabs, it is likely that a dedicated group of authors created Mafalda following several comments in the code that were addressed to the operators. The MetaMain implant was also used for “hands-on” operations such as capturing screenshots, completing file actions, logging keyboard events, and supporting the execution of arbitrary shellcodes.

The execution flow was initiated through a CBD approach. However, MetaMain supports a wide range of methods per the SentinelLabs report.

On further analysis, the analysts also found indications of a custom implant deployed for internal network bouncing, known as “Cryshell.” Another Linux tool that steals data from workstations and sends it back to Mafalda was also detected.

SentinelLabs has not clarified whether Cryshell and the Linux implant are different. However, it underscores a difference in the handshake and port-knocking procedure during the Mafalda identification, signaling two distinct tools.

Metador’s stealth operation

The custom implants, alongside the strict segmentation of the attack infrastructure, have made it difficult to track the Metador threat actor. Coupled with using malware running entirely in memory and LolBins, it allows Metador to operate undetected on the victim networks for an extended period. Moreover, the malware can operate for a long time without raising suspicion.

However, despite the challenges, the investigation by SentinelLabs revealed that some of the obtained MetaMain samples date back to December 2020 per a timestamp in the execution log. Additionally, the complex nature of the malware and active development link it to a well-resourced group that can further boost the use of the tools.

The investigation by the researchers further points to the developers documenting the malware’s framework while offering guidance to another group of operators.

The language used by the developers shows that they are fluent in English. However, there are signs that they were non-native English speakers, as Spanish was also used in the code for creating Mafalda.

The documentation for Mafalda commands also shows that a dedicated team was behind the malware development while another group was operating the malware. However, the linguistic and cultural aspects are insufficient to identify the threat actors.

According to researchers from SentinelLabs, the threat actor behind Metador seems to be operating under “a high-end contractor arrangement.” Therefore, the threat actor could have been running a state-backed operation.