Researchers at SentinelLabs discovered a new threat actor that’s highly sophisticated in its operations – leaving no trace by using its malware in the system memory.
They named it Metador and its associated Windows malware ‘metaMain’ and ‘Mafalda’, which can take tens of commands to perform. They noted the threat actor targeting telecom companies, internet providers, and universities in the Middle East, with the aim of long-term espionage.
Metador Group Dissection
SentinelLabs researchers spotted a new threat actor lurking in the networks of ISPs, telecoms, and universities for months, for probably long-term espionage. They named it Metador and said it’s so sophisticated in its operations.
Targeting the institutions in the Middle East specifically, researchers spotted this in a telecom company that has their Singularity XDR solution activated – after being compromised of Metador. Thus, they couldn’t find out how exactly the threat actor compromised the network.
They further noted, Metador is “managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions.”
When dissecting, the group has two Windows malware named as ‘metaMain’ and ‘Mafalda’, running only in the system memory, thus leaving no trace on the compromised host. They were custom-made, decrypted, and loaded in system memory through “cdb.exe” – a legitimate Windows debugging tool that’s now widely being used for LoLBin-type attacks.
Mafalda is capable of performing 67 operations, including reading directories, manipulating the registry, reconnaissance of the network, and exfiltrating data to the hacker’s command and control (C2) server.
Besides this, researchers also spotted a custom implant used for internal network bouncing named ‘Cryshell’ and an unnamed Linux tool – for stealing data from workstations and channeling them back to Mafalda.
All these complex elements make the analysis more difficult, as researchers were unable to attribute Metador to any existing threat group already. But with the custom implants and strict segmentation of the attack infrastructure, they assume it to be the work of any nation-state-backed actor.