Discover more from Zero Day
Mysterious New Hacking Group Leaves Researchers Baffled
The group, called Metador by the SentinelLabs researchers who discovered them, appears to be well-resourced and engaged in long-term espionage. But who is behind their operation is unclear.
A mysterious new threat group responsible for hacking a telecom in the Middle East has left researchers baffled about who may be behind the campaign and where else they may be operating.
The group has been active since at least December 2020 and is responsible for two “extremely complex” malware platforms that have infected at least five different victims so far — in addition to the Middle East telecom, the victims include internet service providers and universities in the Middle East and Africa.
Zero Day is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
Researchers at SentinelLabs, who discovered the threat actor and its malicious tools in late 2021, are calling the group Metador — a play on a phrase “I am meta” that appears in their malicious code as well as the word “matador” (some of the members of the threat group appear to be native Spanish speakers).
Juan Andrés Guerrero-Saade, senior director of SentinelLabs, which is operated by the security firm SentinelOne, says the technical complexity of the malicious platforms, the advanced operational security the group employs to thwart detection and the fact that they appear to be actively modifying the platforms as needed suggests a well-resourced group is behind the operation. But this doesn’t necessarily mean a nation-state produced the malware.
Guerrero-Saade speculates that Metador may be the product of a contractor working on behalf of a nation state. He points to Dark Matter, a company based in the United Arab Emirates that hired former NSA hackers to develop spy tools for the UAE’s National Electronic Security Authority, or NESA (the UAE’s equivalent of the NSA). They helped create tools that allowed NESA to spy on dissidents and other Middle East nations, and he thinks Metador may be the product of a similar contractor.
Guerrero-Saade, who presented a talk about Metador at the LABScon conference in Scottsdale, Arizona, with colleagues Amitai Ben Shushan Ehrlich and Aleksandar Milenkoskisays, shared information about the threat actor with researchers at other security firms as well as with government partners and none have seen evidence of the group’s activity before. SentinelLabs is publishing a blog post and technical details about the platforms today in the hope that other security companies may find additional systems that have been infected by them.
SentinelLabs first encountered the group after the Middle East telecom, whom Guerrero-Saade declines to identify, installed a SentinelLabs threat detection system on their network last year. A subsequent investigation found that the telecom had been infected with two malicious platforms that operate entirely in memory on infected systems, rather than install themselves on a system’s hard disk where they might be more easily detected.
The two platforms are called metaMain and Mafalda. MetaMain is a backdoor that can be used on its own — it can log mouse and keyboard activity, grab screenshots, or exfiltrate data and files. Or it can be used to install Mafalda, a highly valuable and modular framework that gives the attackers additional functionality, including the ability to collect system and network information. Both platforms are in active development by the operators, so functionality can be expanded and revised as needed, the researchers say.
The operators behind the campaign are not particularly sophisticated, says Guerrero-Saade. But they have implemented good operational security by carefully segmenting their architecture. They set up different command and control servers for each victim — all of them hosted by LiteServer, a Dutch hosting provider — so that if one victim or command structure is discovered, it won’t automatically expose all of the victims or infrastructure. The threat actor also demonstrated an ability to make adjustments quickly when needed. When the Middle East telecom installed SentinelOne’s detection system on their network, the Metador actors quickly pushed out a re-tooled version of their malware and engaged in intense obfuscation techniques designed to thwart detection and analysis by researchers. This “swift adaptable response” set them apart from many other groups the researchers have observed.
But despite this care, the operators curiously didn’t seem to be concerned about one thing in particular — infecting systems already infected by other threat actors. The Middle East telecom infected by the Metador platforms was host to about ten other hacking groups, the researchers say, suggesting it was a high-value target. Several of these groups appear to be from China and several from Iran, including the well known groups known as Moshen Dragon and Muddy Water, attributed to China and Iran respectively.
Nation state offensive hacking teams like those operated by the NSA and its allies generally don’t like to infect systems that are already occupied by other adversarial groups and will do de-confliction to detect their presence in a system before infecting it themselves. De-confliction involves running scans on the system to see if malware used by other known nation-state hacking groups is present. If other hacking groups are already on the system or network, it increases the chance that the victim will discover all of the groups (especially if one of the hacking groups is careless). There’s also a risk that the other hacking groups will steal the NSA’s tools or spy on their activity in the infected network in order to study how they operate or learn what information they’re interested in stealing from the system.
The fact that Metador deployed its valuable platforms on a system already crowded with other threat actors, however, suggests they either didn’t care if other actors were present or the infected telecom was such a valuable target it outweighed any risks.
As for who may be behind the activity, SentinelOne says there aren’t enough clues to determine this. Based on a few findings in the code, however, some of the operators and developers appear to speak English as their native language, others appear to speak Spanish. Additionally, build times for some of the malicious components suggest the developers may be based in the UTC+1 timezone. The latter encompasses many nations, but among those are the UK and Spain.
There are two additional artifacts that are interesting, though it’s not clear they provide any clues about who is behind Metador. The first artifact is the name Mafalda itself. The developers may have derived it from an Argentinian political comic strip named for the politically progressive six-year-old girl that stars in the strip. The strip was popular throughout Latin America and elsewhere in the 60s and early 70s.
The second artifact is a song lyric the developers left in a part of their code: “her eyes were cobalt red, her voice was cobalt blue”. The lines come from the 1990 song "Ribbons" by The Sisters of Mercy, a British pop punk band popular in the 1980s.
In the end, there are more questions about Metador than answers. SentinelOne likens the discovery to “a shark fin breaching the surface of the water,” giving just a glimpse of what may lie beneath the surface.
“We believe that we’ve only seen a minor portion of the operations of what’s clearly a long-running threat actor of unknown origin,” the researchers note in a blog post about their finding.
If you like this story, feel free to share it with others.
If you’d like to receive future articles directly to your email in-box, you can subscribe for free or become a paid subscriber to help support my work if you find it valuable: