A previously undetected threat operator that cybersecurity researchers have dubbed ‘Metador’ has been infiltrating universities, internet services providers (ISPs) and telecommunications for around two years.

With an aim of long-term network persistence for the purpose of espionage, Metador’s favoured targets are organisations based in Africa and the Middle East. The attack group employs two Windows-based malware solutions that researchers describe as “extremely complex”. However, there are some indications that Linux malware is also being used.

Cyber threat analysis

Researchers based at cybersecurity operation SentinelLabs encountered Metador at work in a telecommunications company situated in the Middle East. The organisation had a long history of attacks and had been breached previously by at least ten other threat operators from Iran and China, including infamous gangs like MuddyWater and Moshen Dragon.

Detailed analysis of the malicious software and the infrastructure used revealed no clues that allowed researchers to attribute Metador with any level of confidence. According to researchers, a defining characteristic of the threat group is that it is “highly aware of operations security.”

Researchers at SentinelLabs noted in their report that the threat actor is carefully managing segmented infrastructure for each victim, and swiftly deploying complicated countermeasures when security solutions are present.

Malicious activity uncovered

The team discovered Metador’s activities after the victim organisation deployed Singularity, the XDR solution designed by SentinelOne, many months after the threat group compromised its dedicated network.

As a result, details regarding the initial infection vector remain unavailable. The two Windows-based type malware frameworks, entitled ‘Mafalda’ and ‘metaMain’, run in system memory only, so that no unencrypted trace is left on the compromised system.

The customised implants were entirely decrypted and then loaded in memory via the Windows debugging tool “cdb.exe”.

Mafalda is a highly versatile implant that is capable of accepting up to 67 different commands, while its many layered obfuscation is designed to make it difficult to analyse in any detail.

The list of commands includes reconnaissance of system and the network, reading directory contents, file operations, manipulating the registry and exfiltrating data to a command-and-control server.

It is likely that Mafalda was developed by a specific team of authors, according to SentinelLabs, who discovered comments within the code that were addressed to operators.

The second Windows-based malware, the metaMain implant, is employed for a more “hands-on” approach. It handles operations such as taking screenshots, logging keystrokes, performing file actions, and supporting execution of arbitrary shellcode.

When they investigated further, the analytical team at SentinelLabs also found signs of a custom implant employed for internal network bouncing called ‘Cryshell’ along with a Linux tool with no name that is designed to steal data from workstations and feed them back to the Mafalda implant.

SentinelLabs remain unsure if the Linux tool and Cryshell are different but have drawn attention to the distinct difference in the handshake and port-knocking procedures during the authentication process with Mafalda, suggesting two separate tools.

These customised implants and the rigid segmentation of the cyberattack infrastructure makes trying to track Metador a particularly challenging prospect for analysts and security teams.