Researchers Uncover Mysterious 'Metador' Cyber-Espionage Group

Researchers from SentinelLabs laid out what they know about the attackers and implored the researcher community for help in learning more about the shadowy group.

photo of a shark's fin above the water
Source: Anna Phillips via Alamy Stock Photo

LABSCON – Scottsdale, Ariz. – A new threat actor that has infected a telecommunications company in the Middle East and multiple Internet service providers and universities in the Middle East and Africa is responsible for two "extremely complex" malware platforms — but a lot about the group that remains shrouded in mystery, according to new research revealed here today.

Researchers from SentintelLabs, who shared their findings at the first-ever LabsCon security conference, named the group Metador, based on the phrase "I am meta" that appears in the malicious code and the fact that the server messages are typically in Spanish. The group is believed to have been active since December 2020, but it has successfully flown under the radar over the past few years. Juan Andrés Guerrero-Saade, senior director of SentinelLabs, said the team shared information about Metador with researchers at other security firms and government partners, but no one knew anything about the group.

Guerrero-Saade and SentinelLabs researchers Amitai Ben Shushan Ehrlich and Aleksandar Milenkoski published a blog post and technical details about the two malware platforms, metaMain and Mafalda, in hopes of finding more victims who have been infected. "We knew where they were, not where they are now," Guerrero-Saade said.

MetaMain is a backdoor that can log mouse and keyboard activity, grab screenshots, and exfiltrate data and files. It can also be used to install Mafalda, a highly modular framework that provides attackers with the ability to collect system and network information and other additional capabilities. Both metaMain and Mafalda operate entirely in memory and do not install themselves on the system’s hard drive.

Political Comic

The malware’s name is believed to have been inspired by Mafalda, a popular Spanish-language cartoon from Argentina that regularly comments on political topics.

Metador set up unique IP addresses for each victim, ensuring that even if one command and control is uncovered, the rest of the infrastructure remains operational. This also makes it extremely difficult to find other victims. It's often the case that when researchers uncover attack infrastructure, they find information belonging to multiple victims — which helps map out the extent of the group's activities. Because Metador keeps its target campaigns separated, researchers have only a limited view into Metador's operations and what kind of victims the group is targeting.

What the group doesn't seem to mind, however, is mixing with other attack groups. The Middle Eastern telecommunications company that was one of Metador's victims was already compromised by at least 10 other nation-state attack groups, the researchers found. Many of the other groups appeared to be affiliated with China and Iran.

Multiple threat groups targeting the same system is sometimes referred to as a "magnet of threats," as they attract and host the various groups and malware platforms simultaneously. Many nation-state actors take the time to remove traces of infection by other groups, even going as far as patching the flaws the other groups used, before carrying out their own attack activities. The fact that Metador infected malware on a system already compromised (repeatedly) by other groups suggests that the group doesn't care about what the other groups would do, the SentinelLabs researchers said.

It's possible the telecommunications company was such as high-value target that the group was willing to take the risk of detection since the presence of multiple groups on the same system increases the likelihood that the victim will notice something wrong.

Shark Attack

While the group appears to be extremely well-resourced — as evidenced by the technical complexity of the malware, the group's advanced operational security to evade detection, and the fact that it is under active development — Guerrero-Saade warned that it wasn't enough to determine that there was nation-state involvement. It is possible that Metador may be the product of a contractor working on behalf of a nation-state, as there are signs the group was highly professional, Geurrero-Saade said. And the members may have prior experience carrying out these kinds of attacks at this level, he noted.

"We consider the discovery of Metador akin to a shark fin breaching the surface of the water," the researchers wrote, noting that they have no idea what is happening underneath. "It's a cause for foreboding that substantiates the need for the security industry to proactively engineer towards detecting the true upper crust of threat actors that currently traverse networks with impunity."

About the Author(s)

Fahmida Y. Rashid, Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights