[MART] - Daily Diary #603 - Metador, a Previously Unknown Hacking Group

ctas-mat at appgate.com ctas-mat at appgate.com
Tue Sep 27 20:49:32 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

09/27/2022 - Diary entry #603:

Metador is a previously unknown hacking group, active since at least December 2020, that has been attacking organizations in the Middle East and Africa to make long-term persistence for espionage. Among their victims, there are telecommunication providers, Internet Service Providers (ISPs), and universities.

The group uses two Windows-based malicious programs named “metaMain” and “Mafalda”, both decrypted and executed directly in memory via "cdb.exe", a Microsoft Windows debugging tool – used as a LoLBin (Living Off the Land binary), to avoid raising suspicious behavior on the compromised host. The metaMain malware is a full-featured backdoor used for taking screenshots, performing file manipulation, logging keyboard events, executing arbitrary shellcode, and ultimately decrypting and loading Mafalda.

Mafalda is a versatile implant that supports more than 60 commands for file operations, reading directory contents, registry manipulation, network and system reconnaissance, and data exfiltration to the command and control (C2) server.

Moreover, there is also evidence of additional implants that act as an indirect connection between Mafalda and the C2 server. On Windows, one of these implants is a custom malware named CryShell and on Linux, an unnamed one that Mafalda authenticates itself via a different port-knocking and handshake procedure.

Based on the documentation for Mafalda's commands, it suggests that the malware is operated by a different team besides the one that develops it. Therefore, we believe that Metador is a group formed by skilled threat actors due to the complexity of their malware toolkit and modus operandi.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>


Malware Analysis and Research Team

E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220927/98ddedec/attachment.htm>

More information about the MART mailing list