New Threat Actor Metador is Brought into the Spotlight

Category: Threat Actor Activity | Industries: Academic, Internet Service Providers, Telecommunications | Level: Tactical | Source: SentinelOne

SentinelLabs researchers have observed activity from new threat group, Metador. The threat group has targeted African and Middle Eastern organizations operating in verticals pertaining to academia, telecommunications, and internet service providers. Metadors’ operations are described to be calculated, "The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions." Intrusions can span months as an observed infection by SentinelOne did not identify the original infection vector. A in-memory implant was found SentinelOne has named metaMai. The implant is executed through LOLbin CDB (cdb.exe) along with a WMI event subscription. An implant framework is used to maintain long-term access to compromised machines. metaMai provides operators with extensive functionality, like keyboard and mouse event logging, screenshot theft, file download and upload, and the ability to execute arbitrary shellcode." Another implant used by the group Mafalda backdoor, adds to the capabilities available to metaMain, providing at least 67 commands including various anti-analysis techniques. Mafalda enables the threat actor to copy files/directories from the host, conduct system reconnaissance, gather credentials, exfiltrate data and execute commands. Based on the limited information attribution cannot be assessed for the group, it is only known the operators speak both English and Spanish.

Anvilogic Scenario:

• WMI Subscription and CDB Execution

Anvilogic Use Cases:

• WMI subscription execution
• CDB Execution

‍