Security researchers today said they’ve discovered a never-before-seen advanced threat actor primarily targeting telecommunications, internet service providers and universities in several countries in the Middle East and Africa.
Dubbed “Metador” by researchers at SentinelOne Inc.’s SentinelLabs, the advanced persistent threat group is described as highly sophisticated and acutely aware of operations security, deploying intricate countermeasures to bypass security solutions and deploy malware platforms directly into memory. The group was found to be using variants of two longstanding Windows malware platforms, with indications of a Linux implant as well.
Metador was discovered by the researchers while delving through a “Magnet of Threats,” a term used to describe targets so desirable that multiple threat actors regularly cohabitate on the same victim machine. In responding to a series of tangled intrusions at a Magnet of Threats, the researchers found a layering of nearly 10 known threat actors of Chinese and Iranian origin but then noticed an unusual infection they had previously not seen: Metador.
Where the threat group comes from is unknown. There’s evidence that the developers and operators speak both English and Spanish, with cultural references to British pop punk lyrics and Argentinian political cartoons. The name Metador comes from a reference to the string “I am meta” in one of the malware samples and the expectation of Spanish-language responses from the command-and-control servers.
“The limited number of intrusions and long-term access to targets suggests that the threat actor’s primary motive is espionage,” the researchers noted. “Moreover, the technical complexity of the malware and its active development suggest a well-resourced group able to acquire, maintain and extend multiple frameworks.”
The only thing clear about the group is its sophistication. The obvious candidate is a state-sponsored actor, but Spanish speakers don’t typically come to mind with such hacking groups. To complicate matters, with the analysis of the Magnet of Threats sample, the researchers could not find the original infection vector employed.
Upon gaining access to a victim, Metador’s modular framework allows operators to choose between multiple execution flows. In the case of the Magnet of Threats, the execution flow combined a WMI persistence — a PowerShell script that can execute a payload from a remote location — with an unusual LOLbin, a Microsoft Console Debugger, dubbed “metaMain.”
MetaMain is described as a feature-rich backdoor implant to decrypt a subsequent modular framework called “Mafalda” into memory. Mafalda is described as flexible and interactive and supports more than 60 commands.
“Previous threat intelligence discoveries have broadened our understanding of the kind of threats that are out there but so far, our collective ability to track these actors remains inconsistent at best,” the researchers concluded. “Developers of security products, in particular, should take this as an opportunity to proactively engineer their solutions towards monitoring for the most cunning, well-resourced threat actors.”