researchers just recently discovered its operations while examining a series of intrusions at one organization

Continue reading
A previously unidentified high-line attack gang that has infiltrated telcos, colleges, ISPs, and other institutions throughout the Middle East and Africa using specialized malware platforms and long-established tools has been discovered by researchers. The group's origins and its affiliation with any governments or private actors are yet unknown.
The group has been active for some time, but SentinelLabs researchers just recently discovered its operations while examining a series of intrusions at one organization. Several APT outfits, including Chinese and Iranian ones, had compromised that organization. Researchers uncovered a new actor in the environment known as Matador, who had deployed multiple bespoke pieces of malware, including Linux implants. The most recent attack organization is very skilled, has demonstrated the capacity to bypass security technologies, and employs a distinct architecture for various victims. Metador focuses primarily on cyber espionage, and SentinelLabs experts believe the actor could be a high-level contractor rather than an intelligence agency or other governmental institution.
The pragmatic blending of simple techniques (like LOLbins) with meticulously executed complex approaches is what makes Metador stand out (like per victim infrastructure segmentation, port knocking, and inscrutable custom anti-analysis techniques). Juan Andres Guerrero-Saade, senior director of SentinelLabs at SentinelOne, stated that the reason their operations have been so successful is because they have evaded victims, defenders, and threat intelligence researchers up until this point despite maintaining these malware platforms for some time.
There is now no definite notion of attribution. There are several developers and operators who speak both English and Spanish, along with a variety of cultural allusions, according to the traces. We came across a variety of languages with unique quirks that were the result of different developers. Separation between developers and operators is already apparent. Although there aren't any samples, the version history for at least one of the platforms indicates that there have been considerably more advancements than the breaches we've found.
Guerrero-Saade revealed the latest Metador study at the LabsCon conference here on Thursday.
SentinelLabs detected two types of malware on Windows machines: metaMain and Mafalda, both of which function only in memory. Matador keeps its operational security very tight and employs a single IP address and build for each victim. Guerrero-Saade stated that the attacker is well-versed in basic Windows security tools and has demonstrated the capacity to quickly adapt when new devices are placed on a compromised system. The researchers were unable to identify the initial infection vector for any of the machines Metador affected.
The Metador operators can select from a variety of execution flows once they have arrived at the target in order to load one or more of their modular frameworks. To start the decryption of a multi-mode implant we termed "metaMain" directly into memory, for instance, the execution flow employed on our Magnet of Threats combines a WMI persistence method with a peculiar LOLbin.
“Although metaMain has a lot of features, in this instance the Metador operators used the metaMain implant to decrypt and load the "Mafalda" modular framework into RAM. Mafalda is a versatile, interactive implant that can respond to more than 60 commands.”
Mafalda looks to be a key part of Metador’s arsenal, and the actor takes great care to protect it and prevent it from being detected by security tools. The backdoor implant has gone through many versions, and Guerrero-Saade said the actor is still actively developing and maintaining Mafalda. The researchers saw indications of some other Metador implants, as well, but were not able to find the malware variants themselves. One of those implants is called Cryshell, and the other is an unnamed Linux-based tool.
The Metador actors host their command-and-control servers at a Dutch hosting provider. “Being a highly OPSEC aware actor, Metador manages their infrastructure rather carefully. While analyzing Metador infrastructure, much like its implants, we found no obvious overlaps with previously reported actors,” Guerrero-Saade said.
“In all Metador intrusions we’ve observed so far, the operators use a single external IP address per victim network at a time. That IP is utilized for command-and-control over either HTTP (metaMain, Mafalda) or raw TCP (Mafalda).”
The earliest timestamp in a metaMain sample that the SentinelLabs researchers discovered was Dec. 29, 2020. Guerrero-Saade said that although there are no concrete indications of who Metador is, the actor is clearly well-resourced and skilled.
“The limited number of intrusions and long-term access to targets suggests that the threat actor's primary motive is espionage. Moreover, the technical complexity of the malware utilized and its continuous active development suggests a well-resourced group not only in a position to acquire multiple frameworks but also maintain and develop them further. Internal comments support that claim, as the developers guide a separate group of operators,” he said.
Metador has only been seen on a few victim networks, most of which are ISPs, telecom companies, or universities, all of which are common targets for APTs.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.