SentinelOne researchers studied around 10 hacking groups and, among these groups, researchers have observed a previously unknown group, Metador, which remained undetected for several years.
The group utilizes two malware with one finding its expertise in multi-layered obfuscation and the other being used for more hands-on activities, such as taking screenshots and recording keyboard actions.
Metador’s targets?
Metador mainly targets telecoms, universities, and internet service providers in the Middle East and Africa. The group uses one single external IP address per victim. For this reason, it is difficult to track its attack across multiple victims.
About Metador
- The threat group is named Metador due to a reference to a string ‘I am meta’ in one of its malware samples, along with Spanish responses from the C2 servers.
- It has been active since around two years with an indication that ample resources have been used in development and maintenance for cyberespionage operations.
- The group was observed using variants of two Windows-based malware—metaMain and Mafalda—with hints of an additional Linux implant with Cryshell (a custom implant).
More about malware in use
MetaMain and Mafalda work fully in-memory and never touch disk in an unencrypted way, hence dodging security products and basic Windows protocols with ease.
- metaMain is a backdoor, which was used to decrypt a subsequent modular framework Mafalda inside the memory.
- Mafalda appears to be a highly valuable implant to the threat actor as it supports over 60 commands and its newer variants boast intense obfuscation, making detection even challenging.
Conclusion
Metador’s signs of active development and its success in staying undetected for years are concerning. A wider threat intelligence community and other security agencies have provided technical indicators shared in the report, that could be leveraged by security professionals provide a better understanding of the threat.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/a612_shutterstock_1261948831.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/5f6f_shutterstock_1851526309.jpg)
