Cybersecurity sleuths at SentinelLabs are calling on the wider threat hunting community to help decipher a new mysterious malware campaign hitting telcos, ISPs and universities in the Middle East and Africa.

The never-before-seen threat actor, called Metador, uses sophisticated technical measures to deploy Windows-based malware implants and clever tricks to avoid detection but despite months of inspecting the code, SentinelLabs researchers say there’s still no clear, reliable sense of attribution.

At the LABScon security conference, SentinelLabs malware hunters Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski shared technical artifacts associated with Metador and kick-started a crowdsourced effort to better understand the adversary.

“We urge defenders in targeted verticals, regardless of location, to check their telemetry for the possible presence of Metador components and to share samples and indicators with the broader research community,” the SentinelLabs team said.

The research team said attempts to attribute Metador ran into multiple roadblocks and prevented complete documentation of the threat actor.

From the Metador report: 

The research team said the hacking teams behind Metador are heavily focused on collection operations aligned with state interests, but noted there are indications this may be the work of a “high-end contractor arrangement” not tied to a specific country.

A technical appendix with IOCs and analysis of the toolset is publicly available for external groups to pick apart the notes, hunt for additional components and share findings in a crowdsourced project.

Matador isn’t the first enduring mystery in the advanced threat actor space where highly skilled and well-resourced hacking teams operate.  

Here’s a partial list, compiled with the help of expert malware hunter Costin Raiu, of major malware campaigns that remain unattributed, or where there are significant gaps in research knowledge:

-- TajMahal -- A sophisticated APT framework exposed in 2019 that included backdoors, loaders, orchestrators, command and control (C&C) communicators, audio recorders, keyloggers, screen and webcam grabbers, document and cryptographic key stealers, and a file indexer.   Despite this high level of sophistication, only a solitary TajMahal victim was found (a diplomatic entity from a country in Central Asia), suggesting a level of stealth that still leaves researchers dumbfounded.  Project TajMahal also remains unattributed.

-- Strider/Sauron --  Strider, aka Sauron, was described as “the pinnacle of cyberespionage tools” that used a cocktail of zero-days and unknown, never-identified methods to deploy implants on .gov targets in several counties.  The malware tools used were capable of stealing information from air gapped networks and supported multiple covert exfiltration channels on various protocols.  As with TajMahal, Strider/Sauron remains unattributed, despite obvious signs suggesting the handiwork of nation state-backed hackers.

-- The Encrypted Gauss Payload --  Back in 2012, the Gauss campaign was caught hijacking passwords, banking credentials, and browser cookies from machines connected to Lebanese banks, the first signs of a nation state-backed malware campaign combining data theft with cyberespionage. An enduring mystery of Gauss is the use of a module named Godel that features an encrypted payload. To this day, no one has managed to break the Gauss payload encryption.

-- DarkUniverse -- This campaign was described as the 27th function of a ShadowBrokers script that was included in the 2017 ‘Lost in Translation’ leak and which was designed to check for traces of other APTs on infected machines. After operating a full cyber-espionage framework undetected for at least eight years, DarkUniverse’s creators suspended the work without being attributed.

By Ryan Naraine on Tue, 27 Sep 2022 18:44:39 +0000
Original link