Security researchers discovered an advanced threat actor dubbed Metador, primarily targeting telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.
The group was found to be using variants of two longstanding Windows malware platforms, with indications of a Linux implant as well. In responding to a series of tangled intrusions, the researchers found a layering of nearly 10 known threat actors of Chinese and Iranian origin but then noticed an unusual infection they had previously not seen: Metador.
The name Metador comes from a reference to the string “I am meta” in one of the malware samples and the expectation of Spanish-language responses from the command-and-control servers.
Upon gaining access to a victim, Metador’s modular framework allows operators to choose between multiple execution flows. In the case of the Magnet of Threats, the execution flow combined a WMI persistence with an unusual LOLbin, a Microsoft Console Debugger, dubbed metaMain.
MetaMain is described as a feature-rich backdoor implant to decrypt a subsequent modular framework called “Mafalda” into memory. Mafalda is described as flexible and interactive and supports more than 60 commands.
The limited number of intrusions and long-term access to targets suggests that the threat actor’s primary motive is espionage. The technical complexity of the malware and its active development suggest a well-resourced group able to acquire, maintain and extend multiple frameworks.
The only thing clear about the group is its sophistication. With the analysis of the Magnet of Threats sample, the researchers could not find the original infection vector employed.
Developers of security products should take this as an opportunity to proactively engineer their solutions toward monitoring the most cunning, well-resourced threat actors.
This research was documented by researchers from Sentinel One Labs
Indicators of Compromise