Skip to content

S1059 metaMain

metaMain is a backdoor used by Metador to maintain long-term access to compromised machines; it has also been used to decrypt Mafalda into memory.12

Item Value
ID S1059
Associated Names
Version 1.0
Created 24 January 2023
Last Modified 05 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols metaMain can use HTTP for C2 communications.12
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method metaMain has used XOR-based encryption for collected files before exfiltration.1
enterprise T1005 Data from Local System metaMain can collect files and system information from a compromised host.12
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging metaMain has stored the collected system files in a working directory.12
enterprise T1140 Deobfuscate/Decode Files or Information metaMain can decrypt and load other modules.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography metaMain can encrypt the data that it sends and receives from the C2 server using an RC4 encryption algorithm.12
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription metaMain registered a WMI event subscription consumer called “hard_disk_stat” to establish persistence.1
enterprise T1041 Exfiltration Over C2 Channel metaMain can upload collected files and data to its C2 server.2
enterprise T1083 File and Directory Discovery metaMain can recursively enumerate files in an operator-provided directory.12
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading metaMain can support an HKCMD sideloading start method.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion metaMain has deleted collected items after uploading the content to its C2 server.12
enterprise T1070.006 Timestomp metaMain can change the CreationTime, LastAccessTime, and LastWriteTime file time attributes when executed with SYSTEM privileges.2
enterprise T1105 Ingress Tool Transfer metaMain can download files onto compromised systems.12
enterprise T1056 Input Capture metaMain can log mouse events.2
enterprise T1056.001 Keylogging metaMain has the ability to log keyboard events.12
enterprise T1112 Modify Registry metaMain can write the process ID of a target process into the HKEY_LOCAL_MACHINE\SOFTWARE\DDE\tpid Registry value as part of its reflective loading activity.2
enterprise T1106 Native API metaMain can execute an operator-provided Windows command by leveraging functions such as WinExec, WriteFile, and ReadFile.12
enterprise T1095 Non-Application Layer Protocol metaMain can establish an indirect and raw TCP socket-based connection to the C2 server.12
enterprise T1027 Obfuscated Files or Information metaMain‘s module file has been encrypted via XOR.2
enterprise T1057 Process Discovery metaMain can enumerate the processes that run on the platform.12
enterprise T1055 Process Injection metaMain can inject the loader file, Speech02.db, into a process.1
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy metaMain can create a named pipe to listen for and send data to a named pipe-based C2 server.2
enterprise T1620 Reflective Code Loading metaMain has reflectively loaded a DLL to read, decrypt, and load an orchestrator file.1
enterprise T1113 Screen Capture metaMain can take and save screenshots.12
enterprise T1082 System Information Discovery metaMain can collect the computer name from a compromised host.2
enterprise T1033 System Owner/User Discovery metaMain can collect the username from a compromised host.2
enterprise T1205 Traffic Signaling -
enterprise T1205.001 Port Knocking metaMain has authenticated itself to a different implant, Cryshell, through a port knocking and handshake procedure.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion metaMain has delayed execution for five to six minutes during its persistence establishment process.2

Groups That Use This Software

ID Name References
G1013 Metador 12