Metador, an unprecedented APT that has targeted ISPs for nearly two years for security affairs

Metador, an unprecedented APT that has targeted ISPs for nearly two years for security affairs

A previously undetected hacking group, tracked under the name Metador, has been targeting telecoms, Internet service providers (ISPs) and universities for nearly two years.

Sentinelabs researchers have uncovered an unprecedented threat agent, traced to the name Metador, that primarily targets telecoms, ISPs and universities in several countries in the Middle East and Africa.

Experts noted that the attack chains used by attackers are designed to bypass native security solutions while spreading malware platforms directly into memory. Attackers are well aware of operational security, are able to carefully manage the fragmented infrastructure of each victim, and have been quickly noticed deploying complex countermeasures with security solutions in place.

Experts have reported that a telecom company targeted by Metador has already been hacked by nearly a dozen threats from China and Iran, including Moshen Dragon and MuddyWater.

SentinelLabs has detected two malware platforms for windows, dubbed “metaMain” and “Mafalda”, and evidence of an additional Linux implant.

The attackers used the Windows debugging tool “cdb.exe” to decrypt and load both malware into memory.

Mafalda is a flexible implant that supports up to 67 commands, and it has been constantly upgraded by threat actors, and newer threat variants are very ambiguous.

Here are some commands detailed by SentinelLabs:

  • command 55 Copying a file or directory from a source file system location provided by the attacker to a destination file system location provided by the attacker.
  • command 60 – reads the content of %USERPROFILE%AppDataLocalGoogleChromeUser DataLocal State and sends the content to C2 with a name prefixed with loot.
  • command 63 – Perform network and system configuration survey
  • Command 67 – retrieves data from another implant in the victim’s network and sends the data to C2

The researchers say that when the TCP KNOCK connection method is enabled, the metaMain and Mafalda implants can establish an indirect connection to the C2 server through another implant referred to internally as a “Cryshell”. Both malware authenticate themselves to Cryshell by performing port-and-handshake methods.

“Mafalda authenticates itself to Cryshell Mafalda Authenticates itself to Cryshell Mafalda and supports retrieving data from Linux machines using another implant that sends data to C2 as part of a package with a name prefixed with loot_linux. Although it is possible that the unnamed Linux implant and Cryshell are the same Mafalda authenticates itself to the Linux implant through a different port-throwing and handshaking procedure.” It reads Analytics published by the researchers.

C2 infrastructure analysis revealed that Metador uses one external IP address per victim network, which is used for command and control either over HTTP (metaMain, Mafalda) or raw TCP (Mafalda). In all confirmed intrusions, C2 servers were hosted on Dutch hosting provider LITESERVER.

In addition to HTTP, Mafalda C2 external servers also support raw TCP connections over port 29029. We also noticed that some Metador infrastructure hosts an SSH server on an unusual port. While SSH is commonly used for remote access to *nix systems, we find it difficult in the belief that a mature threat actor might expose its infrastructure in this way. Rather, it is likely that those were used to route traffic through Mafalda’s internal portfwd commands.” Continue the analysis.

Who is behind Metador?

At this time, experts cannot attribute the activity to a known APT group, however, the researchers argue that behind it may be linked to an “evolving contractile arrangement”.

“Running in the Metador is a frightening reminder that a different class of threat actors continue to operate in the shadows with impunity.” The report concludes.

The full analysis is available here:

https://assets.sentinelone.com/sentinellabs22/metador

Follow me on Twitter: Tweet embed And the Facebook

Pierluigi Paganini

(Security hacking, APT)





#Metador #unprecedented #APT #targeted #ISPs #years #security #affairs

Leave a Comment

Your email address will not be published. Required fields are marked *