researchers-uncover-new-metador-apt-targeting-telcos,-isps,-and-universities
Share on facebook
Share on twitter
Share on linkedin
Share on email
News Category

Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities

A previously undocumented threat actor of unknown origin has been linked to attacks targeting telecom, internet service providers, and universities across multiple countries in the Middle East and Africa.

“The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions,” researchers from SentinelOne said in a new report.

The cybersecurity firm codenamed the group Metador in reference to a string “I am meta” in one of their malware samples and because of Spanish-language responses from the command-and-control (C2) servers.

The threat actor is said to have primarily focused on the development of cross-platform malware in its pursuit of espionage aims. Other hallmarks of the campaign are the limited number of intrusions and long-term access to targets.

This includes two different Windows malware platforms called metaMain and Mafalda that are expressly engineered to operate in-memory and elude detection. metaMain also acts as a conduit to deploy Mafalda, a flexible interactive implant supporting 67 commands.

metaMain, for its part, is feature-rich on its own, enabling the adversary to maintain long-term access, log keystrokes, download and upload arbitrary files, and execute shellcode.

In a sign that Mafalda is being actively maintained by its developers, the malware gained support for 13 new commands between two variants compiled in April and December 2021, adding options for credential theft, network reconnaissance, and file system manipulation.

Attack chains have further involved an unknown Linux malware that’s employed to gather information from the compromised environment and funnel it back to Mafalda. The entry vector used to facilitate the intrusions is unknown as yet.

What’s more, references in the internal commands documentation for Mafalda suggest a clear separation of responsibilities between the developers and operators. Ultimately though, Metador’s attribution remains a “garbled mystery.”

“Moreover, the technical complexity of the malware and its active development suggest a well-resourced group able to acquire, maintain and extend multiple frameworks,” researchers Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski noted.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Ukraine Says Russia Planning Massive Cyberattacks on its Critical Infrastructures

Ukraine Says Russia Planning Massive Cyberattacks on its Critical Infrastructures

The Ukrainian government on Monday warned of “massive cyberattacks” by Russia targeting critical infrastructure facilities located in the country and…
New NullMixer Malware Campaign Stealing Users' Payment Data and Credentials

New NullMixer Malware Campaign Stealing Users' Payment Data and Credentials

Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers…
Experts Uncover 85 Apps with 13 Million Downloads Involved in Ad Fraud Scheme

Experts Uncover 85 Apps with 13 Million Downloads Involved in Ad Fraud Scheme

As many as 75 apps on Google Play and 10 on Apple App Store have been discovered engaging in ad…