A previously undocumented threat actor of unknown origin has been linked to attacks targeting telecommunications, internet service providers and universities in several countries in the Middle East and Africa.
“Operators are highly aware of operational security, manage a carefully segmented infrastructure by victim, and rapidly deploy complex countermeasures in the presence of security solutions,” SentinelOne researchers said. said in a new report.
The cybersecurity firm gave the code name to the group Metador in reference to an “I am meta” string in one of their malware samples and because of Spanish language responses from command and control (C2) servers.
The threat actor reportedly mainly focused on developing cross-platform malware in its pursuit of espionage goals. Other characteristics of the campaign are the limited number of intrusions and the long-term access to targets.
This includes two different Windows malware platforms called metaMain and Mafalda which are expressly designed to operate in memory and evade detection. metaMain also serves as a conduit to deploy Mafalda, a flexible interactive implant supporting 67 commands.
metaMain, on the other hand, is feature-rich, allowing the adversary to maintain long-term access, log keystrokes, upload and download arbitrary files, and execute shellcode.
A sign that Mafalda is being actively maintained by its developers, the malware supported 13 new commands between two variants compiled in April and December 2021, adding options for credential theft, network reconnaissance and manipulation. of the file system.
The attack chains have further involved unknown Linux malware which is used to gather information from the compromised environment and send it back to Mafalda. The entry vector used to facilitate the intrusions is still unknown.
Additionally, references in Mafalda’s internal command documentation suggest a clear separation of responsibilities between developers and operators. Ultimately though, Metador’s attribution remains a “muddled mystery”.
“Additionally, the technical complexity of the malware and its active development suggest a group with sufficient resources to acquire, maintain, and extend multiple frameworks,” noted researchers Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski.