LABSCON – Scottsdale, Arizona – A new threat actor that has infected a telecommunications company in the Middle East and several Internet service providers and universities in the Middle East and Africa is responsible for two “extremely complex” malicious platforms – but much about the group that remains shrouded in mystery, according to new research revealed here today.
SentintelLabs researchers, who shared their findings at the first-ever LabsCon security conference, named the group Metador, based on the phrase “I am meta” that appears in the malicious code and the fact that Server messages are usually in Spanish. The group is believed to have been active since December 2020, but has managed to fly under the radar for the past few years. Juan Andrés Guerrero-Saade, senior director of SentinelLabs, said the team shared information about Metador with researchers at other security companies and government partners, but no one knew anything about the group.
Guerrero-Saade and SentinelLabs researchers Amitai Ben Shushan Ehrlich and Aleksandar Milenkoski published a blog post and technical details on both malware platforms, metaMain and Mafalda, in hopes of finding more infected victims. “We knew where they were, not where they are now,” Guerrero-Saade said.
MetaMain is a backdoor that can record mouse and keyboard activity, take screenshots, and exfiltrate data and files. It can also be used to install Mafalda, a highly modular framework that provides attackers with the ability to gather system and network information and other additional features. MetaMain and Mafalda operate entirely in memory and do not install on the system hard drive.
The name of the malware is believed to have been inspired by Mafalda, a popular Spanish-language cartoon from Argentina that regularly comments on political topics.
Metador has configured unique IP addresses for each victim, ensuring that even if command and control is discovered, the rest of the infrastructure remains operational. It also makes it extremely difficult to find other victims. Often when researchers uncover attack infrastructure, they find information belonging to multiple victims, which helps map the scope of the group’s activities. Because Metador keeps its targeted campaigns separate, researchers have only a limited view of Metador’s operations and the type of victims the group is targeting.
What the group doesn’t seem to mind, however, is mixing with other attack groups. The Middle Eastern telecommunications company that was one of Metador’s victims has already been compromised by at least 10 other nation-state attack groups, the researchers found. Many of the other groups appeared to be affiliated with China and Iran.
Multiple groups of threats targeting the same system are sometimes referred to as “threat magnets” because they simultaneously attract and harbor different groups and malware platforms. Many nation-state actors take the time to eliminate traces of infection by other groups, even going so far as to fix vulnerabilities used by other groups, before carrying out their own attack activities. The fact that Metador infected malware on a system already compromised (repeatedly) by other groups suggests that the group doesn’t care what the other groups would do, the SentinelLabs researchers said.
It is possible that the telecommunications company was such a large target that the group was willing to take the risk of being detected, since having multiple groups on the same system increases the likelihood that the victim will notice something wrong. unnatural.
While the group appears to be extremely well-resourced – as evidenced by the technical complexity of the malware, the group’s advanced operational security to evade detection, and the fact that it is under development – Guerrero-Saade warned that was not enough. to determine that there was nation-state involvement. It’s possible that Metador was the product of an entrepreneur working on behalf of a nation-state, as there are signs the group was very professional, Geurrero-Saade said. And members may have previous experience in carrying out these types of attacks at this level, he noted.
“We view the Metador discovery as a shark fin piercing the surface of the water,” the researchers wrote, noting that they have no idea what is going on below. “This is a cause for apprehension that justifies the need for the security industry to proactively engineer detection of the true upper layer of threat actors currently traversing networks with impunity.”