New Metador APT takes aim at telecom companies, ISPs and universities
A new malware, identified as Metador, is being used by attackers to target telecommunications, internet service providers and universities on multiple continents, according to security researchers at SentinelOne.
“The operators are highly aware of operations security managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions,” researchers from SentinelOne said in a new report.
The new threat group was discovered after one of the victims used Singularity, SentinelOne’s advanced XDR detection and response solutions, months after Metador compromised its network.
Although Metador was found in a Middle Eastern telecommunications company, researchers said the operation aims to gain long-term persistence for cyber espionage organizations in the Middle East and Africa.
However, Metador has not been associated with any group, SentinelLabs stated in its report that Metador is “managing carefully segmented infrastructure per victim and quickly deploying intricate countermeasures in the presence of security solutions.”
Details of the first infection are not known, but the custom implants were decrypted and loaded into memory through “cdb.exe,” the debugging tool in Windows that was used in the attack as LoLBin (living-off-the-binary). It was used to decrypt and load in memory the two custom ‘metaMain,’ and ‘mafalda,’ two custom Windows malware frameworks.
The metaMain implant is used for other “hands-on” operations such as screenshots, executing file actions, logging keyboard events, and executing arbitrary shell code.
Mafalda is a versatile implant and its commands include file operations, reading contents or directories that manipulate the registry, reconnaissance of the network and system, and exfiltrating data to the command and control (C2) server.
“We have artifacts pointing to late 2020, but it’s worth noting that the earliest variant of the Mafalda platform we were able to recover was already on build version 144. It’s likely that this group has been active for several years before anyone caught on,” said Guerrero-Saade, Senior Director of SentinelLabs.
The sources for this piece include an article in TheHackerNews.