LABScon Replay | The Mystery of Metador

The term ‘Magnet of Threats’ is used to describe targets so desirable that multiple threat actors regularly cohabitate on the same victim machine in the course of their collection. In the process of responding to a series of tangled intrusions at one of these Magnets of Threats, SentinelLabs researchers encountered an entirely new threat actor: ‘Metador’.

Metador’s intrusions were located primarily in telcos, ISPs, and universities in the Middle East and Africa, but that is likely only a small portion of the operations of what is clearly a long-running threat actor of unknown origin.

In this presentation, SentinelLabs’ researchers Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski lay out how they discovered this previously unknown threat actor, the challenges of reversing Metador’s custom, highly-obfuscated backoors, and the intriguing clues left by the threat actor’s own logs and artifacts as to their real identity.

Enjoy the LABScon presentation as it was presented live in the video and transcript below, read the published report, and dive into the intricacies of the threat actors’ anti-analysis techniques in a dedicated post on the Mafalda malware, one of Metador’s custom backdoors discovered in this fascinating research.

The Mystery of Metador.mp4: Audio automatically transcribed by Sonix

The Mystery of Metador.mp4: this mp4 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Juan Andres Guerrero-Saade:
We're going to talk today about a bit of a mystery. And we really do mean it like we do mean mystery. It's not just sort of trying to hype something up or obfuscate the truth and pretend that we don't know what we do. In reality, we're dealing with something. We're fairly unfamiliar and. Confused by. And we're hoping that this conference is actually going to do a lot to help us in that direction.

So first and foremost, I'm Juan Andres Guerrero-Saade, Jags, your host, you are very familiar with me, Alex, here over at SentinelLabs with me and Amitai, who was actually part of our internal research team with Brian Bartholomew and Chris Saint Myers. And this has been like a big joint research effort that we've been doing across our different research teams together. Our Metador friends would probably refer to us as fellow hackers. But we'll get into that in a little bit.

So I just wanted to set a little bit of context, Right. Thomas was up here. He talked about the equation group drop Regen. There's been a lot of discussions about these big APTs. And frankly, it's always fascinating to me because I'm obsessed with that side of the house. I love the big flashy APTs and the things nobody knows about and understanding what big intelligence agencies are doing and the capabilities they've developed that we could only dream of. And among those, I mean, right, we talked about Equation Group, we talked about Regin. We talk about DuQu one and two, but Barr, Project, Sauron, REM, sex, Strider, whatever you want to call them, Kirito, Wild Neutron Flame, one and two.

Juan Andres Guerrero-Saade:
And the truth is that these are all amazing discoveries, each one of them redefining what we thought was possible, how we understood the threat landscape. But beyond redefining what's possible, I think they also showed us a sort of weakness, a giant blind spot. Not only did we not know what they were doing before, the fact that they were discovered and published on doesn't mean that we know where they are now. It doesn't mean that we actually know where these apex predators are at any given moment.

And I think the truth is that we've accepted a form of partial blindness. We've said, you know, these are the one percenters. We'll catch a glimpse from time to time. And it's kind of okay that we don't see them. Maybe because you ideologically agree with them, maybe because you think they're not in your target area or frankly, because it's hard, because a lot of security products are not being developed in the right way because a lot of visibility keeps sort of fraying for us and things that we used to rely on, like VT don't have the same level of samples that they had anymore. And there's so many ways that things are getting more difficult for us, and we've accepted that partial blindness.

The question that I want to press here is do we still think that those one percenters are the sole proprietors of that level of capabilities? And with that nagging thought. I'll hand over to Amitai.

Amitai Ben Shushan Ehrlich:
So our story begins like many other interesting stories. It appears with a magnet, a magnet of threats and networks that was interesting enough to draw the attention of several state sponsored actors. When we got there, it was very much compromised and the first thing we noticed when we got there was actually traces of the muddy paws of Kitten. Muddy Water were very much active in that network, deploying their powerful backdoors, registering schedule tasks, and also moving laterally, using a WMI exec like a lot of other actors. And when we started monitoring their activity over WMI exec, we noticed something weird.

There is this big cluster of activity here related to Muddy Water and with a WMI exec, But there is another actor here also running a lot of stuff with WMI exec. And that's when we realized we also have to deal with pandas roaming around the network and not just one. Over the time that we looked at this magnet of threats, we found over four different clusters of Chinese espionage activity, very much active in the network.

At this point, we realized we have we were dealing with a very interesting network, a very interesting target, and we started actively monitoring and hunting for new threats. And we did find a lot of unattributed activity, a lot of new activities. But above all of them, one stood out and it wasn't a kitten, nor a panda, but. A bull. And when I say a bull, you guys probably imagine this magnificent animal with its horns and robotic features.

Amitai Ben Shushan Ehrlich:
But this is not our our bull. Looks like our bull actually looked like this. The actual bull in the room was actually execution of the Microsoft console debugger, a legitimate debugging tool of by Microsoft executed with the debugging script stored in CDB.ini. Debugging the legitimate Windows process defrag.exe. And we noticed this activity looked quite suspicious, quite malicious. And knowing that the Microsoft console debugger is a legitimate process and also defrag is a legitimate process, we understood whatever is causing this malicious activity is probably stored in the debugging script in CDB.ini.

So we started looking into that and when we opened it, we saw like this huge string of hexadecimal values and we were like, okay, that's interesting. It's it's a cut here. But it was very, very long and we started looking into the actual contents of the script. What it does, it reads the long hexadecimal string as quad word values. That's the eq and runs them at the entry point of the binary, that's the X entry and then detaches. Effectively what it means is actually run this shell code stored in this long string at the start of the binary. Now the usage of the Microsoft console debugger is documented and read information about it online as a tool to use as a LOL bin.

Amitai Ben Shushan Ehrlich:
But that was quite unusual and interesting. So we try to take this long hexadecimal string and turn it into a shell code. Look how it actually looked like and this is how it looked like.

Quite a standard shell code. And what it does is reads an additional file stored in speech02.db and load it into memory and run it. At this point we realized, okay, we have this long chain of staging a very interesting malware and we started reconstructing the entire image and this is what we got to.

So as you can see, we have the cdb.exe, the Microsoft console debugger, running the injector script, injecting the shell code into defrag.exe. This in turn will load speech02.db. This is a reflective loader which will load speech03.db. Surprisingly, speech03.db is actually a fully comprehensive implant that we call meta main. This entire framework that I just talked about is the persistent mechanism behind meta main.

And interestingly enough, in this context, Meta main was used to load an additional implant called Mafalda. Mafalda is a second implant which was used in the same chain. And those two implants are very much interesting and very much unusual in today's landscape. They contain a lot of interesting functionality and Alex here reversed the hell out of them and is going to talk about what's so interesting about it.

Aleksandar Milenkoski:
So it's just for the next slide. Yeah. So I will give you an overview of the two backdoors that we observed in the campaign that Amitai just mentioned, Metador and Mafalda. And I will I if.

Juan Andres Guerrero-Saade:
They can't hear you. Can you put the mic up, please?

Aleksandar Milenkoski:
It's good. Now you can hear me. Cool. No, no, no, no, no. I totally get it.

Okay, so coming back to my point, I will give you an overview of the two backdoors that we covered and that we observed in our investigations. And then we'll also cover some specifics that I think are relevant in this context.

So first MetaMain, it comes. It's an implant that comes with two modes, basically meta and main. Hence the name. So meta. The meta module does actually shell code execution, which means it's pretty basic functionality. That means the operator provides a path to a shell code file.

MetaMain decrypts the file and jumps to its entry point. So it's a typical classical shell code execution scenario, whereas the main mode does a couple of things more.

So keyboard and mouse event logging. In this sense, the metamain implant logs low level keyboard and mouse events, store them into a file, takes also screenshots at regular time interval, stores them into a file as well, implements certain backdoor commands. The operator can, for example, enumerate files in a directory, upload and download a file, and can also even invoke the meta functionality of the method and implement achieve arbitrary shell code execution. With that, it's a kind of a recursive invocation thing that are going on.

When it comes to talking to the C2, the metamain implants implant implements three main modes tcp role, http and named pipe. So the HTTP communication mode involves metamain sending get and post requests to the remote C2 server. The named pipe involves talking to a local process on the on the machine where the metamain implant runs, whereas that process proxies or relays the communication between the remote C2 instance and the metamain implant itself.

Aleksandar Milenkoski:
Now the tcp role communication mode is a bit more complex, so it involves the metamain implant talking to another implant, which we call cry shell based on some string resources that we observed in the implant itself. Similarly to the named pipe communication. So the cryshell implant also relays or proxies, the communication between the remote C2 server and the main implant itself.

However, to talk with the cryshell implant metamain first has to authenticate itself to it. So in order to do this, it does kind of a complex port knocking procedure. So it's a that's a typical mode that we also observed in the context of Mafalda when it comes to network communication. I will come to that in a second.

So in summary, metamain is an implant which implements rather relatively basic vector functionalities. However, is the first malware that's staged on the system, and it's a malware that's started after system reboot, which means that the malware is there to maintain persistence from an operational perspective that its main goal and it's also a cog in an orchestration chain, something that I, I touched upon. But in this sense, it's not only the implant that's first stage, but it's also the implant that stages another malware that's namely Mafalda.

So Mafalda, similarly to metamain, I mean that's also a keyboard and mouse event logging. However, in contrast to metamain implements a lot more vector functionalities.

Aleksandar Milenkoski:
So in addition it does things like data and information theft, credential theft, Mimica style and so on. Again, talking to the C2, the same three modes tcp role, HTTP and named pipe. However, in the context of the TCP communication mode, Mafalda does not have to necessarily go through cryshell but can also talk to the remote C2 server on its own without the port knocking and the TCP authentication procedure that I just mentioned.

So in summary, in contrast, especially in contrast to MetaMain, Mafalda is a very feature rich backdoor. It's full of functionalities from an operational perspective and in the infection chains that we observed, the Mafalda implant is there. Its its primary goal is to enable this continuous communication with the operators with a method or threat actor with the C2 server. And in that sense, Mafalda extends MetaMain and especially the backdoor capabilities of the MetaMain implant.

We observe two variants of of Mafalda. One come out in April 2021, which we call the the old Mafalda and another one came out in December 2021, which we call the new Mafalda. Mind you, these are the compilation timestamps in the binaries, right? They can be faked of course, but we also observe some overlaps and some differences between those two versions at at binary level. Implementation level.

So first thing first that the new Mafalda variant, that which was compiled in December 2021, implements 13 more backdoor commands in contrast to the older one, which means that the backdoor functionalities of mafalda have been extended in the time period.

Aleksandar Milenkoski:
So among the new commands that we analyzed, we also observed evidence of a new implant, which we called the Linux implant informally in our in our research. So basically the role of that implant is that on Mafalda's request, it gathers data stolen from what we assumed from from Linux instances, sends them to Mafalda and Mafalda in turn in turn sends them to the to the remote C2 server. So we have kind of a data information test going on there.

Both Mafalda variants implement a set of anti analysis and anti detection techniques. However, the new variant comes with additional obfuscations and binary level. This is a topic that I will come back to in a second in a bit more detail.

In both Mafalda variants, we also observed evidence of good software design practices. So we are talking here about things like custom exception handlers, for example, to handle some critical software faults like bad memory allocations and so on. We also observed very well structured documentation for Mafalda users, which are actually the operators or in this context, the Metador threat actors.

So this led us to the conclusion that of course Mafalda is looks like a very active maintained project that is developed over time, especially in context of its backdoor capabilities, but even more importantly, so it looks like it's developed by a separate designated team for that purpose. And we especially observed this, we observed this in the in the command descriptions, in the string resources where they refer to the to the mafalda users as the operators.

Aleksandar Milenkoski:
Right. So it's this this implant probably has been developed by a designated team for that purpose. So it's developed not only at code level in context of the backdoor capabilities that I mentioned, but also even at infrastructure level, like the evidence of that being the Linux implant that that I just mentioned.

Coming back to the to the anti analysis techniques, as I mentioned before, Mafalda both variants, the new and the old one implement a lot of anti analysis anti detection techniques. Here's is a very brief selection. So for example, both of them can execute Syscalls directly. This is to evade NTDL hooks.

This is what the Mafalda implants referred to informally as the non naive syscall execution in contrast to the naive syscall execution, which goes through the typical NTDL syscall stubs where most of the products deploy hooks in.

We have backdoor commands that that can clear the Windows event logs through Windows API and also detection capabilities for a very huge variety of EDR systems and sensors, but also analysis tools like the Windows system internals is one example either windbag binary ninja and so on. So they probably wanted to give the capability to the operators to be aware when the implant has infected the machine, whether the people working with that machine has analytical skills or have EDR sensors installed. So this expresses the opsec savviness basically of the of the whole Mafalda infrastructure.

As I mentioned before, the new Mafalda variant is additionally obfuscated at binary level and this is something that made our analysis a bit more challenging.

Aleksandar Milenkoski:
So here are some examples. For example, the many function function prologs were preceded by huge code segments that were very heavily obfuscated and instructions in instruction level. So we are talking here like a huge jump sequences like trampolines uses instructions, overlapping instructions to mess up static analysis as well, and so on. Also, integer function parameters were calculated using as depicted here using long carried metrics before being passed as an actual to an actual function. This is mostly to to to confuse emulators. So in my experience that worked really well with the flair-emu emulator under certain configurations.

Also the string resources that the Mafalda implant constructs were encrypted, which proved to be a very, very effective anti analysis measure. So just to give you a more practical example, in the context of the old mafalda, we were able to extract all string resources, including the backdoor documentations that I mentioned, and also like the external program execution logs, which was extremely informative to us as analysts and gave us a huge push in that direction to analyze the malware faster and with a greater coverage. So that was not the case with the new Mafalda variant.

So just to just to summarize my part, the Mafalda implant seems to be a highly valued and highly protected resource in Metador arsenal and in the whole Metador toolset, this implant looks to be the main entity that's responsible to prevent detection. And the summary I will give now to the stage to Amitai, who will discuss a bit.

Amitai Ben Shushan Ehrlich:
So as Alex said, we were able to extract a very thorough commented documentation from Mafalda itself, and I want to read some interesting remarks to you.

This is the actual documentation the threat actor wrote. In this example, the Port Forward Connect Command establishes SSH connection from implant to a server, usually where tcpserver.py runs. This does not forward any ports yet.

So the first remark about the command documentation would be the language. The threat actor chose to document the entire thing in English, and his English is pretty good. It seems to be very fluent in English, possibly native. And the second thing would be the terminology. We all use the word implant, in the threat intelligence community. But I think it's quite rare to see a threat actor that refers to its own malware as implant in that context.

Another interesting thing would be the user argument in this specific command as well, which goes username for which the mistake is by the actor username for SSH connection. Make sure this user is not allowed to get a shell or do anything stupid.

That's a comment left out by the developers, which also emphasizes the segregation between the teams. There is probably a development team and an operator team. They leave out the comments to them and it also shows how much mafalda Metador or metador actors care about operational security as these things goes throughout the entire documentation.

Another interesting command that we saw and Alex also mentioned would be the Check EDR command. This is the command displays information about antivirus, which this week is called the Endpoint Detection and Response System. Now when someone works for Sentinel one, I took that personally, especially because we all know that antivirus this week is called XDR.

Juan Andres Guerrero-Saade:
Yeah.

Amitai Ben Shushan Ehrlich:
So all those jokes aside, all those remarks were very interesting in the context of the attribution of the threat actor and who is behind it. And Juan will talk about that a little bit further.

Juan Andres Guerrero-Saade:
All right. So let's kind of bring this whole thing together. And frankly, let me take a minute, sort of unscripted to say that Alex has massively undersold the effort that it took to reverse this thing. This was I was told to remove "impossible to reverse" to just "very challenging". Try it. I'll I'll I'll wait.

Amitai did a fantastic job discovering this thing. And we've tried our best to analyze this over the past eight months. We've talked to other folks in the industry, some of you here in the room who family, folks and different ISP's folks and different service providers, different research teams who have helped us however they could. But there is a real mystery here. This isn't us just sort of taking a victory lap. There's a genuinely concerning problem, which is we really don't know who we're dealing with and we're not being coy about being it being some friendly government or something like that. I think we're all at a bit of a loss for who it is that we're dealing with.

So truthfully, it is a mystery. There's a few things that I'll point you to at some point. They actually spit out in the mafalda clear build the compilation time as they had recorded it. But as Alex noticed, the DLL export timestamp is actually off by an hour in a way that possibly suggests UTC plus one at least in April. You know, who knows, maybe they were traveling.

Mafalda. I don't know how many of you are Hispanics? Spanish speakers. Mafalda is a fairly well known. It's kind of like a Cuidado cartoon. Like it's the political comic strips of the Hispanic world since the 1960s, coming from Argentina, from Fela's neck of the woods. And this is how you express sort of political sentiment through the eyes of like an innocent child. Right. And we all grew up with these cartoons. So it was always like this very interesting reference to see Mafalda kind of pulled up in this way to kind of foment that. Even though we talked about English speaking Dev's when Mafalda reaches out to the C two and the C two doesn't have anything to give back, it actually responds with the Spanish word nada, meaning nothing, you know, no content.

But at the same time, that doesn't mean they can't have varied interests. Right? So we we're looking through the samples. There's this really interesting couple of strings. You know, her eyes were cobalt red, her voice was cobalt blue. Anybody recognize that? All right, So I'm not alone. You know, I got some shit for not knowing this. That's a lyric from Sisters of Mercy, you know, nineties British pop punk band. Today I was corrected to say that it was some kind of goth, whatever band.

Juan Andres Guerrero-Saade:
Again, not my area, but clearly our operators enjoy them. Other little quirks that I'll point out at you right. There checking for all this software. They're enumerating a huge list of software. They're trying to understand what's happening in the system that they've infected. For folks that have Ida or Binja, apparently that's a big what the fuck moment for them. They really don't expect to be analyzed in any way.

More importantly, msbuild.exe they recognize as fellow hackers. So anybody who uses msbuild apparently is fitting developer for our Metador friends.

So I wanted to point out a bunch of things here real quick, because what we've done is just basically taken you through this slog of us trying to understand this very nebulous cloud of an actor. So a bunch of things for you to take away right there, separate devs and operators. There's multiple development teams. There's not just English speakers, but multiple English speakers. There's different idiosyncrasies, right? Some of us that are more academic in the way that we write, others that will lol and Winky face their way through the documentation. You have these Argentinian references or really Spanish references, Spanish C and C responses, you know, your pop punk lyrics, your UTC plus one, and it starts to it paints kind of a not very cohesive picture of who we might be dealing with.

Juan Andres Guerrero-Saade:
On another level. I would also point out that this isn't I don't think this is the cream of the crop team, but they're definitely an unusually well resourced team. They have very careful infrastructure segmentation, which has made it incredibly hard for us to figure out the span of their victims. You know, we're talking about telcos, ISPs, universities in multiple countries in the Middle East and Africa as far as we know. And that's really important because with a single VPS for every victim and every version of the platform, it is, it has proven nearly impossible for us to figure out just how many victims there actually are or what verticals they fully target.

A lot of intra network xcil bouncing so you don't have a bunch of machines all communicating to the same C2s. You've got custom port knocking sequences, not just with the C twos, but also amongst all the machines inside of that network. They're terrible at deconfliction, not only living in that magnet of threats for Amitai to find, but also in some of the other victims. They also cohabitate with other threat actors. I don't expect them to know some of them, but I think, you know, your muddy water is your emotion. Dragons like I think you can tell they're well resourced but pragmatic.

Juan Andres Guerrero-Saade:
I think that that's worth pointing out. Whenever we talk about one percenter APTs, we suffer from like rich kids syndrome. So, you know, we burn this platform, then we'll go to the next platform, we burn this 0-day, we've got another 0-day sitting around. That's not the case with these guys.

They've got multiple platforms that have been developed for years. They're very expensive, but they're also protecting them in interesting ways. And if you notice that CDB loader, it's a fantastic way to just swoosh right past native security solutions that might not find Microsoft debugger application suspicious.

So there's a lot of ways in which we see them sort of catapulting. And in pragmatic senses, it's an enabler. It's a set of operations that to us suggest espionage enablement, right? When you go after telcos and a lot of ways you're essentially sort of trying to move forward. And Alex pointed out that there's a Linux implant that we were not able to discover that we saw sort of the communications, the idea that they were looting stuff from these Linux implants. Keep in mind what a Linux machine does in a telco. That's where you really see the core network. The PBX is where all the real magic happens in a telco that isn't just a bunch of Windows machines. And more interestingly, instead of cleaning up, they just deployed this insane anti analysis stuff.

Juan Andres Guerrero-Saade:
That is a very unusual move. I think for anybody who knows that they're burn. Like the nuance that we're missing here. You go from April to December. What happens in December is the magnet of threats deploys our product and they retool all of mafalda to keep being their add commands and everything. But instead of cleaning up, I think they thought that these different non naive calls and so on, we're just going to allow them to operate without anybody noticing.

So it's fascinating that they would respond that quickly. I even a lot of the one percenters we mentioned at the beginning of this would not. So just keep that in mind as far as development goes.

So who is Metador? I'm really hoping that you're going to help us find out. So, all joking aside, we've put a very big publicly consumable report. But more importantly, we have another very big technical appendix as a living document. We're putting all the indicators out there. We want collaboration as much as possible. We're putting all the reversing notes, all the things that we've been able to work out. And we really hope that this conference will live up to its spirit and we can get everybody here to help us figure this one out. So happy hunting, folks, and thank you.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your mp4 files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you’d love including world-class support, automated translation, secure transcription and file storage, advanced search, and easily transcribe your Zoom meetings. Try Sonix for free today.

About the Presenters

Juan Andrés Guerrero-Saade is Senior Director of SentinelLabs and an Adjunct Professor of Strategic Studies at Johns Hopkins School of Advanced International Studies (SAIS).
Amitai Ben Shushan Ehrlich is a Threat Intelligence Researcher at SentinelOne who specializes in threat intelligence, incident response and threat hunting.
Aleksandar Milenkoski is a Senior Threat Researcher at SentinelLabs, with expertise in reverse engineering, malware research, and threat actor analysis.

About LABScon

This presentation was featured live at LABScon 2022, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.