1. Home
  2. Software
  3. metaMain

metaMain

metaMain is a backdoor used by Metador to maintain long-term access to compromised machines; it has also been used to decrypt Mafalda into memory.[1][2]

ID: S1059
Type: MALWARE
Platforms: Windows
Contributors: Massimiliano Romano, BT Security
Version: 1.1
Created: 24 January 2023
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

metaMain registered a WMI event subscription consumer called "hard_disk_stat" to establish persistence.[1]
Enterprise T1005 从本地系统获取数据

metaMain can collect files and system information from a compromised host.[1][2]
Enterprise T1090 .001 代理: Internal Proxy

metaMain can create a named pipe to listen for and send data to a named pipe-based C2 server.[2]
Enterprise T1112 修改注册表

metaMain can write the process ID of a target process into the HKEY_LOCAL_MACHINE\SOFTWARE\DDE\tpid Registry value as part of its reflective loading activity.[2]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

metaMain can encrypt the data that it sends and receives from the C2 server using an RC4 encryption algorithm.[1][2]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

metaMain can support an HKCMD sideloading start method.[2]
Enterprise T1620 反射性代码加载

metaMain has reflectively loaded a DLL to read, decrypt, and load an orchestrator file.[1]
Enterprise T1140 反混淆/解码文件或信息

metaMain can decrypt and load other modules.[1]
Enterprise T1113 屏幕捕获

metaMain can take and save screenshots.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

metaMain can use HTTP for C2 communications.[1][2]
Enterprise T1560 .003 归档收集数据: Archive via Custom Method

metaMain has used XOR-based encryption for collected files before exfiltration.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

metaMain has stored the collected system files in a working directory.[1][2]
Enterprise T1083 文件和目录发现

metaMain can recursively enumerate files in an operator-provided directory.[1][2]
Enterprise T1106 本机API

metaMain can execute an operator-provided Windows command by leveraging functions such as WinExec, WriteFile, and ReadFile.[1][2]
Enterprise T1205 .001 流量激活: Port Knocking

metaMain has authenticated itself to a different implant, Cryshell, through a port knocking and handshake procedure.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

metaMain's module file has been encrypted via XOR.[2]
Enterprise T1070 .004 移除指标: File Deletion

metaMain has deleted collected items after uploading the content to its C2 server.[1][2]
.006 移除指标: Timestomp

metaMain can change the CreationTime, LastAccessTime, and LastWriteTime file time attributes when executed with SYSTEM privileges.[2]
Enterprise T1082 系统信息发现

metaMain can collect the computer name from a compromised host.[2]
Enterprise T1033 系统所有者/用户发现

metaMain can collect the username from a compromised host.[2]
Enterprise T1497 .003 虚拟化/沙盒规避: Time Based Evasion

metaMain has delayed execution for five to six minutes during its persistence establishment process.[2]
Enterprise T1105 输入工具传输

metaMain can download files onto compromised systems.[1][2]
Enterprise T1056 输入捕获

metaMain can log mouse events.[2]
.001 Keylogging

metaMain has the ability to log keyboard events.[1][2]
Enterprise T1057 进程发现

metaMain can enumerate the processes that run on the platform.[1][2]
Enterprise T1055 进程注入

metaMain can inject the loader file, Speech02.db, into a process.[1]
Enterprise T1041 通过C2信道渗出

metaMain can upload collected files and data to its C2 server.[2]
Enterprise T1095 非应用层协议

metaMain can establish an indirect and raw TCP socket-based connection to the C2 server.[1][2]

Groups That Use This Software

ID Name References
G1013 Metador

[1][2]

References

  1. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  1. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.