Cybersecurity sleuths at SentinelLabs are calling on the wider threat hunting community to help decipher a new mysterious malware campaign hitting telcos, ISPs and universities in the Middle East and Africa.
The never-before-seen threat actor, called Metador, uses sophisticated technical measures to deploy Windows-based malware implants and clever tricks to avoid detection, but despite months of inspecting the code, SentinelLabs researchers say there’s still no clear, reliable sense of attribution.
At the recent LABScon security conference, SentinelLabs malware hunters Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski shared technical artifacts associated with Metador and kick-started a crowdsourced effort to better understand the adversary.
“We urge defenders in targeted verticals, regardless of location, to check their telemetry for the possible presence of Metador components and to share samples and indicators with the broader research community,” the SentinelLabs team said.
The research team said attempts to attribute Metador ran into multiple roadblocks and prevented complete documentation of the threat actor.
From the Metador report:
“Attributing Metador remains a garbled mystery. We encountered multiple languages, with diverse idiosyncrasies indicative of multiple developers. There are indications of a separation between developers and operators. And despite a lack of samples, the version history for at least one of the platforms suggests a history of development that extends far beyond the intrusions we’ve uncovered.
An interesting divergence in build times suggests a possible working timezone of UTC+1. And cultural references include a Latin American cartoon popular throughout the hispanic diaspora since the 1950s, as well as a quote from a popular 80’s British Pop Punk band. While the targets suggest state interests, we vaguely suspect a contractor arrangement.”
The research team said the hacking teams behind Metador are heavily focused on collection operations aligned with state interests, but noted there are indications this may be the work of a “high-end contractor arrangement” not tied to a specific country.
A technical appendix with IOCs and analysis of the toolset is publicly available for external groups to pick apart the notes, hunt for additional components and share findings in a crowdsourced project.
Matador isn’t the first enduring mystery in the advanced threat actor space where highly skilled and well-resourced hacking teams operate.
Here’s a partial list, compiled with the help of expert malware hunter Costin Raiu, of major malware campaigns that remain unattributed, or where there are significant gaps in research knowledge:
— TajMahal — A sophisticated APT framework exposed in 2019 that included backdoors, loaders, orchestrators, command and control (C&C) communicators, audio recorders, keyloggers, screen and webcam grabbers, document and cryptographic key stealers, and a file indexer. Despite this high level of sophistication, only a solitary TajMahal victim was found (a diplomatic entity from a country in Central Asia), suggesting a level of stealth that still leaves researchers dumbfounded. Project TajMahal also remains unattributed.
— Strider/Sauron — Strider, aka Sauron, was described as “the pinnacle of cyberespionage tools” that used a cocktail of zero-days and unknown, never-identified methods to deploy implants on .gov targets in several counties. The malware tools used were capable of stealing information from air gapped networks and supported multiple covert exfiltration channels on various protocols. As with TajMahal, Strider/Sauron remains unattributed, despite obvious signs suggesting the handiwork of nation state-backed hackers.
— The Encrypted Gauss Payload — Back in 2012, the Gauss campaign was caught hijacking passwords, banking credentials, and browser cookies from machines connected to Lebanese banks, the first signs of a nation state-backed malware campaign combining data theft with cyberespionage. An enduring mystery of Gauss is the use of a module named Godel that features an encrypted payload. To this day, no one has managed to break the Gauss payload encryption.
— DarkUniverse — This campaign was described as the 27th function of a ShadowBrokers script that was included in the 2017 ‘Lost in Translation’ leak and which was designed to check for traces of other APTs on infected machines. After operating a full cyber-espionage framework undetected for at least eight years, DarkUniverse’s creators suspended the work without being attributed.
Related: DarkUniverse APT Uses Just-in-Time Malware Creation
Related: “Strider” Espionage Group Targets China, Russia, Europe
Related: TajMahal APT Can Steal Data From CDs, Printer Queues