Metador

A fairly new hacker group known as “Metador” has recently started gaining traction in the news.This group is interesting because their motives are not fueled by any monetary value, however, it seems that the group’s main goal is long-term persistence and espionage. It is hypothesized that this group has been around for about 2-3 years targeting mostly organizations in the Middle East and Africa.

This threat actor would have continued to go unnoticed if the team at SentinelLabs had not come across them. The hacker group was discovered when they went after a Middle Eastern telecom company. Luckily, this company had Singularity, one of SentinelLab's XDR detection and response solutions installed on its network. After some investigation, it was found that the organization had been compromised by the threat actors for several months. The hacker group gained access to the organization through “cdb.exe” which is a common Windows debugging tool. This executable was used to load two malware known as “metaMain”, and “Mafalda”

MetaMain is a malware that is used for a variety of physical operations on a target device. Some of the operations this malware can carry out are screenshots, logging keyboard events, and even launching arbitrary shell codes. The second malware which was loaded onto the organization's network, Mafalda, also has many different characteristics. These include but are not limited to, file operations, reading contents or directories that have the ability to manipulate data, and exfiltrating data to a C2 (command and control) server.

Researchers over at SentinelLabs have come to a couple of conclusions about the group. The first is that the group is not very sophisticated as the SentinelLabs team was able to determine that the hacker group uses a segmented architecture in which they have a different C2 server for each of their victims. This approach keeps the group protected in case one of the C2 servers was detected. SentinelLabs’s team was also able to determine that the hacker group uses a Dutch hosting provider known as “LiteServer” for their C2 servers. One thing that surprised the team of researchers was how quickly the hackers were able to adapt. When the hackers became aware that the Middle Eastern telecom company had installed Singularity XDR, they were able to push out a reconfigured version of their malware which allowed them to avoid detection by the endpoint for as long as they did. This not only demonstrated their ability to adapt, but it also made it clear that the threat actors have had prior experience with advanced operational security.

At this time there is not information known about this group to determine the identities of the hacker or to conclude if this is a state-sponsored hacker group. Researchers have been able to infer that some of the hackers may speak Spanish due to what was found in a couple of lines of code. Another clue that was found in the code of Mafalda was the lyrics of the Song “Ribbons” written by The Sisters of Mercy. These strange clues have not provided much clarity on the identity of this hacker group. One thing that does seem to be clear is that this is just the beginning of this group. It is likely that this group will continue to make headlines in the near future.