Researchers at SentinelLabs have discovered a threat actor identified as Metador which primarily targets universities, ISPs, and telecommunications in various Middle Eastern and African nations.
SentintelLabs researchers dubbed the organization Metador after the phrase 'I am meta' that exists in the malicious code as well as the fact that the server messages are often in Spanish. As per the findings revealed at the first-ever LabsCon security conference, the group is thought to have started operating in December 2020, but throughout the past few years, it has managed to remain undetected.
SentinelLabs senior director Juan Andrés Guerrero-Saade claimed that despite sharing information on Metador with experts at other security companies and government partners, no one was aware of the group.
SentinelLabs researchers found Metador in a Middle Eastern telecommunications business that had been hacked by roughly ten threat actors, including Moshen Dragon and MuddyWater, who all hail from China and Iran. Metador's goal appears to be long-term espionage inventiveness.
Along with two incredibly complex Windows-based viruses – "metaMain" and "Mafalda," that the gang uses – there are clues of Linux malware, according to the researchers at SentinelLabs.
The attackers loaded both malware into memory and decrypted it using the Windows debugging tool "cdb.exe."
Mafalda is a versatile implant that can support up to 67 commands. Threat actors have regularly updated it, and the more recent iterations of the threat are heavily disguised. The attacker can maintain a persistent connection, log keystrokes, download and upload arbitrary files, and run shellcode thanks to the robust feature set of metaMain, which is used independently.
Mafalda gained support for 13 new commands among two variations that were produced in April and December 2021, adding possibilities for credential theft, network espionage, and file system manipulation. This is proof that Mafalda is being actively developed by its developers.
Attack chains have also included unidentified Linux malware that is used to collect data from the infected environment and send it back to Mafalda. The intrusions' entrance vector has not yet been identified.
Running into Metador is a serious reminder that another category of threat actors still operates covertly and without consequence. Security product creators should seize the chance to actively design their products to keep an eye out for the most sophisticated, well-funded hackers.
