Metador APT hackers target telecommunications, ISPs, universities across the Middle East, Africa

SentinelLabs researchers provided details of an advanced threat actor called Metador that primarily targets telecommunications, internet service providers, and universities in several countries across the Middle East and Africa. The operators are highly aware of operations security, managing carefully segmented infrastructure per victim while deploying intricate countermeasures in the presence of security solutions. 

Metador’s attack chains are designed to bypass native security solutions while deploying malware platforms directly into memory and appear intended to provide long-term access in multiple redundant ways.

“Metador is notable precisely in their pragmatic combination of rudimentary techniques (e.g. LOLbins) with carefully executed advanced techniques (like per victim infrastructure segmentation, port knocking, and inscrutable custom anti-analysis techniques),” the researchers wrote in a report. “Their operations are massively successful precisely in that they’ve eluded victims, defenders, and threat intel researchers until now despite maintaining these malware platforms for some time.” 

The SentinelLabs researchers consider the discovery of Metador akin to a shark fin breaching the surface of the water. “It’s a cause for foreboding that substantiates the need for the security industry to proactively engineer towards detecting the true uppercrust of threat actors that currently traverse networks with impunity.”

SentinelLabs researchers discovered variants of two long-standing Windows malware platforms and indications of an additional Linux implant. During analysis, the researchers retrieved and analyzed examples of two different malware platforms used by Metador – ‘metaMain’ and ‘Mafalda.’ These Windows-based platforms are intended to operate entirely in-memory and never touch disk in an unencrypted fashion. Their chosen loading mechanisms are novel only in their pragmatism, easily eluding native security products and standard Windows configurations. 

The report adds that the internal versioning of Mafalda suggests that this platform has been in use for some time, and its adaptability during our engagement alone highlights active and continuing development. In addition, Mafalda’s internal documentation suggests the implant is maintained and developed by a dedicated team, leaving comments for a separate group of operators.

The researchers also identified additional implant(s). For example, with Cryshell, the developers reference an implant used for bouncing connections in an internal network to external command-and-control servers, with support for custom port knocking sequences. They also found unknown Linux malware to steal materials from other machines in the target environment and route their collection back to Mafalda. 

Due to a lag time in deploying adequate endpoint solutions to the relevant Linux servers, the researchers could not recover the implant. Therefore, there’s a possibility that this unknown Linux implant is equivalent to Cryshell, but it cannot be confirmed at this time. 

The Metador teams are highly operations security aware and carefully manage their operations and infrastructure. They also do not leave any obvious attribution references, though there are some significant indicators of the kind of folks involved strewn across some of the components. But unfortunately, these don’t come close to painting a complete picture of the threat actor or any organization involved.

The researchers pointed to the limited number of intrusions and long-term access to targets suggesting that the threat actor’s primary motive is espionage. Moreover, the technical complexity of the malware utilized and its continuous active development suggests a well-resourced group not only in a position to acquire multiple frameworks but also maintain and develop them further. Internal comments support that claim, as the developers guide a separate group of operators. 

“Part of the difficulty in tracking the breadth of Metador’s operations involves their strict adherence to infrastructure segmentation,” the report evaluated. “The attackers use a single IP per victim and build. An analysis of the exhaust surrounding these servers was inconclusive in determining the trajectory of the data once at these VPSes. It’s possible that they serve merely as front-facing forwarders to a more complex anonymizer network, fitting with the general network OpSec observed. That said, open ports also allow for the possibility of meticulous manual administration.”

SentinelOne researchers “believe that we’ve only seen a small portion of the operations of what’s clearly a long-running threat actor of unknown origin and don’t exhaustively represent their target verticals or regions. We hope that further collaboration with the broader community will expand that situational awareness.”

The report said that attributing Metador remains a garbled mystery. “We encountered multiple languages, with diverse idiosyncrasies indicative of multiple developers. There are indications of separation between developers and operators. And despite a lack of samples, the version history for at least one of the platforms suggests a history of development that extends far beyond the intrusions we’ve uncovered,” it added. 

“An interesting divergence in build times suggests a possible working timezone of UTC+1,” the report said. “And cultural references include a Latin American cartoon popular throughout the Hispanic diaspora since the 1950s, as well as a quote from a popular 80’s British Pop Punk band. While the targets suggest state interests, we vaguely suspect a contractor arrangement.”

In conclusion, the SentinelOne researchers said that running into Metador is a daunting reminder that a different class of threat actors continues to operate in the shadows with impunity. Previous threat intelligence discoveries have broadened our understanding of the kind of threats out there, but the collective ability to track these actors remains inconsistent at best. Developers of security products, in particular, should take this as an opportunity to proactively engineer their solutions towards monitoring the most cunning, well-resourced threat actors. Unfortunately, high-end threat actors thrive in a market that rewards compliance and perfunctory detections.

In June, Palo Alto Networks’ Unit 42 team identified a new, difficult-to-detect remote access trojan named PingPull being used by Gallium APT group. Data disclosed that Gallium remains an active threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa.

Before that, in April, IBM Security X-Force identified a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, from February this year, designed to deliver the fileless malware variant dubbed DarkWatchman. The campaign masquerades as official communications from the Russian Government’s Federal Bailiffs Service, the Russian-language emails are addressed to users in Lithuania, Estonia, and Russia in the telecommunications, electronic and industrial sectors.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.