Attacks on colleges, telecom companies, and internet service providers have been attributed to an unidentified threat actor. The threat actor with a history of operating in the Middle East and Africa.
In a recent analysis, researchers from SentinelOne claimed that “the operators are extremely conscious of operations security. They manage tightly segmented infrastructure per victim, and immediately install complicated countermeasures in the presence of security solutions.”
The cybersecurity company gave the organization the codename Metador in reference to the string “I am meta” found in one of their malware samples and because the command-and-control (C2) servers’ responses were in Spanish.
According to reports, the threat actor’s primary objective in the development of cross-platform malware was espionage. Long-term access to targets and a minimal number of intrusions are further characteristics of the campaign.
The two Windows malware platforms metaMain and Mafalda, which are specifically designed to run in memory and avoid detection, are examples of this. The versatile interactive implant Mafalda, which can accommodate 67 commands, is also made available through metaMain.
The Issues
The attacker can maintain persistent access, log keystrokes, download and upload arbitrary files, and execute shellcode thanks to the robust feature set of metaMain, which is used independently.
Mafalda gained support for 13 new commands between two variations that were produced in April and December 2021. Adding possibilities for credential theft, network reconnaissance, and file system manipulation. This is evidence that Mafalda is being actively developed by its developers.
Attack chains have also included unidentified Linux malware used to collect data from the infected environment and send it back to Mafalda. The intrusions’ entrance vector has not yet been identified.
Additionally, references in the internal Mafalda command documentation imply a distinct division of duties between the developers and operators. However, Metador’s identification is still a “garbled enigma.”
Researchers Juan Andre Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski wrote, “Moreover, the technical complexity of the malware and its active development reflect a well-resourced gang able to purchase, manage, and extend numerous frameworks.”
