Recently, a number of key infrastructure providers in Africa and the Middle East stumbled upon a threat actor towering over its low-effort peers. These insidious attacks are characterized by custom-built malware platforms, delivered via precise, segmented methods.
These attackers have already evaded victims for extended periods of time. Now, their discovery has sent ripples of fear throughout the world. ISP security solutions have painted the picture of a shark fin breaching the water’s surface
What is an APT
The unfortunate fact is that software will always contain exploits. Though this could keep the anxious security professional up at night, the industry’s saving grace is that most attackers operate under motivations that are mercifully simple.
Financial aims, for instance, drive attackers towards a quantity over quality approach. The weakest organizations may have unpatched vulnerabilities that stretch back decades; it’s these that automated attacks and hungry criminals will gladly strip bare. For most organizations, their defenses continue to be just good enough to avoid low-effort exploitation.
Advanced Persistent Threat (APT) actors turn this good-enough mentality on its head: these attackers use state-of-the-art, continuous access techniques to not only gain access to a system, but remain inside, completely undetected for prolonged periods of time.
APT attackers are often motivated politically, with many groups funded or operating directly under the commands of national governments. These groups undertake defined cybersec operations that push the objectives of the supporting country.
Earlier this year, a swathe of ISPs, telecommunication providers, and universities were found to be hosting a number of unique malware strains, the aim of which appeared to be persistent espionage. These instances were found primarily in African and Middle Eastern providers.
The tools in use were an eclectic mix of older, rudimentary techniques, alongside highly agile and industry-savvy implementation. The group’s primary focus: MetaMain and Mafalda. These are two custom-built malware platforms, aimed at Windows OS, which support vast swathes of escalation and payload detonation techniques.
MetaMain, the first of these, represents a feature-rich platform that aims to support and enforce long-term access. This also allowed for Metador to log keystrokes, transfer and execute files between systems, and execute shellcode. Finally, MetaMain acts as an auxiliary program to deploy Mafalda.
Mafalda represents Metador’s creme de la creme. This uber-flexible implant has native support for over 65 commands, including an impressively broad suite of ransomware and spyware capabilities. Metador’s expertise is reflected in their malware infrastructure, too. Both of these platforms install themselves on an infected device’s memory, as opposed to the disk drive that would be easier to detect and delete.
Alongside this, throughout Metador’s already extensive victim list, every single victim has been targeted via a unique command and control server. This greatly decreases the risk of discovery, as the detection of one victim lends researchers no further clues to any others.
Furthermore, when one telecom victim installed a detection system on their infected network, Metadordevs moved rapidly, shipping a retooled version and then engaging in heavy rounds of obfuscation to thwart analysis.
Metador: Still a Mystery
Though APTs are regularly funded by hostile governments, there is no such attribution on Metador’s head just yet. The name originates from a line included in the code, which stated “I am meta”; the second half of the name reflects clues that the devs, or attackers, could speak Spanish.
A number of different cultural references and languages throughout the coding suggests multiple developers have worked on this throughout its lifespan. Finally, despite a lack of discovered examples, the current software’s version history suggests a timeline of development that extends far longer than researchers have discovered.
Metador continues to baffle researchers. Despite the utmost care being displayed, the operators don’t seem to particularly care whether their victims are compromised by other attacking groups. One Middle Eastern telecoms victim was also host to ten other attacking groups, including China’s Moshen Dragon.
This is rare for APTs to allow cross-contamination of their victims: deconfliction is a process that usually runs just before deployment. This checks for the presence of other malware, and – if detected – shuts the attack down. The philosophy behind this is that, the more groups latching onto a target, the more likely the victim will be alerted to an attack.
Furthermore, it also increases the risk of infighting or theft between attacking groups. It’s possible for one attacker to steal the code, or related information, employed by other ATPs. Metador appear not to care about these risks, however.
An IPS for ISPs
Internet service providers manage huge swathes of personal information, alongside supporting millions of customers. This makes them particularly alluring targets, as they are fantastic platforms for supply chain and large scale spyware attacks.
ISP infrastructure must evolve with attackers, and modern, hyper-vigile ATPs require next-generation defenses. A major part of this is data and network visibility. Cloud-based and hybrid platforms can represent an insurmountable task for your security team; it can be incredibly difficult to discover remote resources called by specific cloud-based operations.
Cutting-edge security solutions provide automated data discovery and classification tools, which allow you to thoroughly assess your organization’s risk, alongside freeing up working hours that would be spent combing through assets. From edge devices used by remote-working employees, to core on-premise networks reserved for the highest level of security, your asset detection system must match your organization’s architecture exactly.
Alongside actively monitoring the state of your organization’s data, it’s vital that your security solution provider has a comprehensive and adaptive intrusion detection system. Traditional perimeter-based security models have been proven ineffective time and time again, which means modern security demands Intrusion Prevention Systems (IPS).
These automated systems focus on network and application behavior, not just pre-existing malware signatures. This way, even novel attacks from groups such as Metador are found, alerted, and eradicated.