LABSCON – Scottsdale, Ariz. – A new threat actor that has infected a Middle Eastern telecommunications company and several ISPs and universities in the Middle East and Africa is responsible for two “extremely complex” malware platforms – but much about the group remains shrouded in mystery, according to new research revealed here today .
SentintelLabs researchers, who shared their findings at the first-ever LabsCon security conference, named the group Metador, based on the phrase “I am meta” that appears in the malicious code and the fact that the server messages are typically in Spanish. The group is believed to have been active since December 2020, but has successfully flown under the radar over the past few years. Juan Andrés Guerrero-Saade, senior director of SentinelLabs, said the team shared information about Metador with researchers at other security firms and government partners, but no one knew anything about the group.
Guerrero-Saade and SentinelLabs researchers Amitai Ben Shushan Ehrlich and Aleksandar Milenkoski published a blog post and technical details about the two malware platforms, metaMain and Mafalda, hoping to find more victims who have been infected. “We knew where they were, not where they are now,” Guerrero-Saade said.
MetaMain is a backdoor that can log mouse and keyboard activity, take screenshots and exfiltrate data and files. It can also be used to install Mafalda, a highly modular framework that allows attackers to collect system and network information and other additional features. Both metaMain and Mafalda operate exclusively in memory and do not install themselves on the system’s hard drive.
The malware’s name is believed to be inspired by Mafalda, a popular Spanish-language cartoon from Argentina that regularly comments on political issues.
Metador configured unique IP addresses for each victim, ensuring that even if a command and control is exposed, the rest of the infrastructure remains operational. This also makes it extremely difficult to find other victims. It’s often the case that when researchers uncover attack infrastructure, they find information belonging to multiple victims — helping to map the scope of the group’s activities. Because Metador keeps its targeting campaigns separate, researchers have only a limited view of Metador’s operations and what kinds of victims the group targets.
What the group doesn’t seem to mind, however, is mixing with other strike groups. The Middle Eastern telecommunications company that was one of Metador’s victims was already compromised by at least 10 other nation-state attack groups, the researchers found. Many of the other groups appeared to be affiliated with China and Iran.
Multiple threat groups targeting the same system are sometimes referred to as a “threat magnet” as they attract and host the different groups and malware platforms simultaneously. Many nation-state actors take their time to remove traces of infection from other groups, even going so far as to patch the bugs used by the other groups, before conducting their own attack activities. The fact that Metador infected malware on a system already compromised (repeatedly) by other groups suggests that the group doesn’t care what the other groups would do, the SentinelLabs researchers said.
It is possible that the telecommunications company was a high-value target that the group was willing to take the risk of detection, since the presence of several groups on the same system increases the likelihood that the victim will notice something wrong.
Although the group appears to be extremely well-resourced — as evidenced by the technical complexity of the malware, the group’s advanced operational security to avoid detection, and the fact that it is under active development — Guerrero-Saade warned that it was not enough to establish that there was nation-state involvement. It is possible that Metador could be the product of a contractor working on behalf of a nation-state, as there are indications that the group was highly professional, Geurrero-Saade said. And the members may have previous experience carrying out these kinds of attacks at this level, he noted.
“We view the discovery of Metador as a shark fin breaking the surface,” the researchers wrote, noting that they have no idea what’s going on underneath. “It’s a cause for alarm, underscoring the need for the security industry to proactively evolve toward detecting the true upper crust of threat actors currently traversing networks with impunity.”