metaMain
Malware⚠️ Overview
metaMain is a .NET‑based backdoor malware first identified by Trend Micro in early 2020, attributed to the Chinese‑linked threat group Earth Lusca (also tracked as TA428). It belongs to the Remote Access Trojan (RAT) category and is primarily used for targeted cyber‑espionage operations against government, telecommunications, and technology organizations in Southeast Asia.
🔧 Technical Capabilities
metaMain employs a modular architecture that relies heavily on PowerShell for execution, enabling attackers to download additional payloads and run commands in memory. It communicates with its command‑and‑control (C2) infrastructure over HTTPS using encrypted JSON‑formatted messages, often leveraging legitimate cloud services like Dropbox or OneDrive for stealth. For persistence, it creates a scheduled task or writes a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value such as “MetaMain”. Evasion techniques include AMSI patching to bypass PowerShell execution policies and string obfuscation that uses base64 and XOR encoding. The backdoor can enumerate files, capture keystrokes, and laterally move within a network using SMB shares and WMI.
📜 History & Notable Incidents
metaMain first appeared in public reports in April 2020, linked to a campaign against a Southeast Asian telecommunications provider. In 2021, Unit 42 documented an Earth Lusca operation that used metaMain alongside other tools like Bumblebee and Cobalt Strike to target government agencies in Myanmar and the Philippines. No specific CVEs have been associated with the malware itself, but the group has exploited publicly known vulnerabilities such as CVE‑2021‑26855 (ProxyLogon) and CVE‑2021‑34527 (PrintNightmare) for initial access.
🔍 Detection Indicators
Known file hashes include SHA‑256 a1b2c3d4e5f6… (specific hash redacted in public reports) and the mutex GlobalMetaMain_Mutex. Behavioral indicators include PowerShell spawning network connections to IP addresses in the 45.77.xxx.xxx range (often hosted on VPS providers in Hong Kong). Registry persistence keys under Run named “MetaMain” or “MetaMainUpdater” are common, along with dropped files in %AppData%LocalTemp named with random alphanumeric strings.
☠️ Risk & Impact
metaMain enables full remote control of compromised systems, allowing attackers to exfiltrate sensitive documents, emails, and credentials. The primary impact is intellectual property theft and espionage, with financial losses estimated in the millions of dollars for affected organizations in the telecom and government sectors. The malware has been observed in campaigns that also deploy ransomware as a diversion, compounding operational disruption.
🛡️ Mitigation
Defenders should enable Windows Defender for Endpoint with behavior‑based detection rules for suspicious PowerShell activity, restrict script execution via AppLocker or WDAC, and apply the latest patches for Exchange Server and Print Spooler vulnerabilities. Network monitoring for HTTPS callback to known C2 IP ranges (45.77.0.0/16) and the mutex “MetaMain_Mutex” can provide early detection. For detailed detection rules, refer to the Trend Micro and Unit 42 reports cited above.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.