A Mysterious New Hacking Group
Researchers from the research lab at SentinelOne have identified a new threat actor they have named Metador. Metador has infected a telecommunications company in the Middle East and multiple Internet service providers and universities in the Middle East and Africa. It is responsible for two "extremely complex" malware platforms, but a lot about the group that remains shrouded in mystery, according to new research revealed
This mysterious new threat group has left researchers baffled about who may be behind the campaign and where else they may be operating.
Metador uses sophisticated technical measures to deploy Windows-based malware implants and clever tricks to avoid detection, but despite months of inspecting the code, SentinelLabs researchers say there’s still no clear, reliable sense of attribution.
Researchers discovered variants of two long-standing Windows malware platforms and indications of an additional Linux implant.
The threat actor has reportedly infected a telecommunications company in the Middle East and multiple Internet service providers and universities located across the Middle East and Africa. In addition, the group may be responsible for two malware platforms described as extremely complex. Although SentinelLabs has reported this new information, most of the details concerning the group remains a mystery.
The group has been dubbed Metador due to a phrase “I am meta” that has been identified in malicious code used by the hacking group and the fact that the server messages are frequently in Spanish.
The researchers believe that the group has been in operation since December 2020, but until now it has been able to fly under the radar and avoid detection. SentinelLabs has released a blog post and technical details concerning the two malware platforms reportedly hosted by the threat group in hopes of identifying more victims that may have been infected. These platforms are named Mafalda and metaMain, according to SentinelLabs.
Based on a few findings in the code, however, some of the operators and developers appear to speak English as their native language, others appear to speak Spanish. Additionally, build times for some of the malicious components suggest the developers may be based in the UTC+1 timezone. These include many nations, including the UK and Spain.
It is possible that Metador may be the product of a contractor working on behalf of a nation-state, as there are signs the group was highly professional. Indeed, the members may have prior experience carrying out these kinds of attacks at this level.
The group is extremely well-resourced, as shown by the technical complexity of the malware, the group's advanced operational security to evade detection and the fact that it is under active development.
Kim Zetter: Dark Reading: Security Week: Sentinel One: Flipboard: Oodaloop:
You Might Also Read:
Significant Growth In State-Sponsored Cyber Attacks: