Metador Threat Group Targets Telcos, ISPs, and Universities

Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Adversaries Provide Long-Term, Redundant Access Into Networks Prajeet Nair (@prajeetspeaks) • September 24, 2022    

A never-before-seen advanced threat actor dubbed Metador is targeting telecommunications, internet service providers and universities in several countries in the Middle East and Africa for cyberespionage.

See Also: OnDemand | Understanding Human Behavior: Tackling Retail’s ATO & Fraud Prevention Challenge

SentinelLabs researchers uncovered that the operators behind Metador were aware of “operations security, managing carefully segmented infrastructure per victim and quickly deploying intricate countermeasures in the presence of security solutions” and provide long-term access into networks in multiple redundant ways.

“We dubbed this threat actor ‘Metador’ in reference to the string “I am meta” in one of their malware samples and the expectation of Spanish-language responses from the command-and-control servers,” researchers say.

Critical Findings

Researchers found two different Windows-based malware platforms called metaMain and Mafalda mainly used by Metador for operating entirely in-memory and eluding native security detection.

metaMain is a feature-rich backdoor, say SentinelLabs researchers. However, in this case, Metador operators used its implant to decrypt a subsequent modular framework called Mafalda into memory, which is a feature-rich backdoor.

Researchers say that metaMain implant enables long-term access to compromised machines and provides operators with functionality such as keyboard and mouse event logging, screenshot theft, file download and upload, and the ability to execute arbitrary shellcode.

Mafalda is an interactive implant, supporting over 60 commands and a highly-valuable asset

Read more

Explore the site

More from the blog

Latest News