Threat Actors Attack Telecom, ISP, & Universities Using Cross-platform Malware

There have been multiple reports of attacks targeting multiple sectors of the Middle East and Africa by an unknown threat actor that has previously gone undocumented and whose origin is unknown. These attacks have affected the following sectors:-

  • Telecom
  • Internet service providers
  • Universities

It is very imperative for operators to have a clear understanding of the following three key points:

  • Securing operations is an important aspect.
  • Careful segmentation of the infrastructure per victim must be managed.
  • Quick deployment of complex countermeasures even when security solutions are present.

Infection Chain

As part of its pursuit of espionage interests, the threat actor has mostly focused on developing cross-platform malware for the purpose of obtaining information. Moreover, long-term access and a limited number of intrusions are hallmarks of the campaign.

A total of two different malware platforms targeting Windows are included:- 

  • metaMain
  • Mafalda 

As mentioned above, each of these platforms is specifically designed to operate in-memory and hide their presence when they are used. It should be noted that metaMain also acts as a conduit for the deployment of Mafalda. 

This flexible implant can be programmed to respond to over 67 different commands and is designed to be interactive.

There are a number of features that metaMain can offer on its own, including:-

  • Maintain long-term access
  • Log keystrokes
  • Download arbitrary files
  • Upload arbitrary files
  • Execute shellcode

The attack chain has been further complicated by the involvement of a Linux malware that is unknown. While here from the compromised systems this malware gathers all the key information and transmits it back to the Mafalda implant. 

However, till now, security experts were unaware of the entry vector that hackers are used to facilitate these intrusions.

Mafalda Backdoor Commands

Mafalda only offers the following commands as part of its newer variant:-

  • Command 55: Copies a file or directory from an attacker-provided source filesystem location to an attacker-provided destination file system location.
  • Command 60: Reads the content of “%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Local State
  • and sends the content to the C2 with a name prefixed with loot\.”
  • Command 63: Conducts network and system configuration reconnaissance
  • Command 67: Retrieves data from another implant that resides in the victim’s network and sends the data to the C2

A clear separation of responsibilities between the developers and operators of Mafalda can be seen from the documentation of the internal commands. As a result, Metador’s attribution will remain to be a mystery for the foreseeable future.

Apart from this, it appears from the internal documentation of Mafalda that a dedicated team of developers maintains and develops the implant on a continuous basis.

CyberSecurity with Zero Trust Networking – Download Free E-Book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.