- Internet service providers
It is very imperative for operators to have a clear understanding of the following three key points:
- Securing operations is an important aspect.
- Careful segmentation of the infrastructure per victim must be managed.
- Quick deployment of complex countermeasures even when security solutions are present.
As part of its pursuit of espionage interests, the threat actor has mostly focused on developing cross-platform malware for the purpose of obtaining information. Moreover, long-term access and a limited number of intrusions are hallmarks of the campaign.
There are a number of features that metaMain can offer on its own, including:-
- Maintain long-term access
- Log keystrokes
- Download arbitrary files
- Upload arbitrary files
- Execute shellcode
The attack chain has been further complicated by the involvement of a Linux malware that is unknown. While here from the compromised systems this malware gathers all the key information and transmits it back to the Mafalda implant.
However, till now, security experts were unaware of the entry vector that hackers are used to facilitate these intrusions.
Mafalda Backdoor Commands
Mafalda only offers the following commands as part of its newer variant:-
- Command 55: Copies a file or directory from an attacker-provided source filesystem location to an attacker-provided destination file system location.
- Command 60: Reads the content of “%USERPROFILE%AppDataLocalGoogleChromeUser DataLocal State
- and sends the content to the C2 with a name prefixed with loot.”
- Command 63: Conducts network and system configuration reconnaissance
- Command 67: Retrieves data from another implant that resides in the victim’s network and sends the data to the C2
A clear separation of responsibilities between the developers and operators of Mafalda can be seen from the documentation of the internal commands. As a result, Metador’s attribution will remain to be a mystery for the foreseeable future.
Apart from this, it appears from the internal documentation of Mafalda that a dedicated team of developers maintains and develops the implant on a continuous basis.