A Mysterious New Hacking Group

Researchers from the research lab at SentinelOne have identified a new threat actor they have named Metador. Metador has infected a telecommunications company in the Middle East and multiple Internet service providers and universities in the Middle East and Africa. It is responsible for two "extremely complex" malware platforms, but a lot about the group that remains shrouded in mystery, according to new research revealed 

This mysterious new threat group has left researchers baffled about who may be behind the campaign and where else they may be operating.

Metador uses sophisticated technical measures to deploy Windows-based malware implants and clever tricks to avoid detection, but despite months of inspecting the code, SentinelLabs researchers say there’s still no clear, reliable sense of attribution.

Researchers discovered variants of two long-standing Windows malware platforms and indications of an additional Linux implant.

The threat actor has reportedly infected a telecommunications company in the Middle East and multiple Internet service providers and universities located across the Middle East and Africa. In addition, the group may be responsible for two malware platforms described as extremely complex. Although SentinelLabs has reported this new information, most of the details concerning the group remains a mystery.

The group has been dubbed Metador due to a phrase “I am meta” that has been identified in malicious code used by the hacking group and the fact that the server messages are frequently in Spanish. 

The researchers believe that the group has been in operation since December 2020, but until now it has been able to fly under the radar and avoid detection. SentinelLabs has released a blog post and technical details concerning the two malware platforms reportedly hosted by the threat group in hopes of identifying more victims that may have been infected. These platforms are named Mafalda and metaMain, according to SentinelLabs.

Based on a few findings in the code, however, some of the operators and developers appear to speak English as their native language, others appear to speak Spanish. Additionally, build times for some of the malicious components suggest the developers may be based in the UTC+1 timezone. These include many nations, including the UK and Spain.

It is possible that Metador may be the product of a contractor working on behalf of a nation-state, as there are signs the group was highly professional. Indeed, the members may have prior experience carrying out these kinds of attacks at this level.

The group is extremely well-resourced, as shown by the technical complexity of the malware, the group's advanced operational security to evade detection and the fact that it is under active development. 

Kim Zetter:     Dark Reading:     Security Week:     Sentinel One:    Flipboard:    Oodaloop

You Might Also Read: 

Significant Growth In State-Sponsored Cyber Attacks:

 

« Lapsus$ Hit Uber
CYRIN Launches New Docker Lab »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Cienaga Systems

Cienaga Systems

Cienaga Systems is a leader in autonomous cyber threat hunting technology.

OneVisage

OneVisage

Our award-winning 3DAuth digital identity platform turns any consumer mobile device into a real-time 3D facial scanner that securely authenticates the user in seconds.

Cyber Defense Agency (CDA)

Cyber Defense Agency (CDA)

Cyber Defense Agency is a premier professional services firm specializing in cyber security, computer network defense, and information security.

Ritz

Ritz

Ritz is the largest holistic pure-play cyber security solutions provider in Myanmar.

Baffin Bay Networks

Baffin Bay Networks

Baffin Bay Networks operates globally distributed Threat Protection Centers™, offering DDoS protection, Web Application Protection and Threat Inspection.

SwiftSafe

SwiftSafe

SwiftSafe is a cybersecurity consulting company providing auditing, pentesting, compliance and managed security services.

International Accreditation Forum (IAF)

International Accreditation Forum (IAF)

The IAF is the world association of Conformity Assessment Accreditation Bodies. Its primary function is to develop a single worldwide programme of conformity assessment.

Elitecyber Group

Elitecyber Group

Elitecyber group is a team of Cyber Security recruitment experts who work for Cyber Security and Cyber Defence clients and candidates throughout Europe.

Rigado

Rigado

Rigado's mission is to enable commercial IoT success by providing high-performance secure and scalable wireless edge connectivity and network infrastructure.

Crosspring

Crosspring

Crosspring is an incubator/accelerator for people who have the ambition to start a successful business or want to extend their existing business in the areas of FinTech, AR, VR, Cybersecurity and SaaS

SOC Experts

SOC Experts

SOC Experts is a pioneer (we started SOC training well before people realized how big the domain was going to be) and the only institution to provide end-to-end training on Security Operations Centers

Kordia

Kordia

Kordia is a leading provider of mission-critical technology solutions throughout Australasia. We have the most comprehensive cyber security offering in New Zealand.

Perygee

Perygee

Perygee is a fully integrated platform for operational security. Companies depend on Perygee to identify and streamline the most important security practices for their operations.

META-Cyber

META-Cyber

META-cyber was founded by engineers with experience in process and control-protection to provide cyber security for industrial infrastructure.

CardinalOps

CardinalOps

The CardinalOps platform continuously assesses your detection posture and eliminates coverage gaps in your existing detection stack so you can easily implement a threat-informed defense.

CASwell

CASwell

Caswell is an industry-leading OEM/ODM specializing in networking, security, SD-WAN, NFV, telecommunication and IoT applications.