A previously undocumented threat actor of unknown origin has been linked to attacks targeting telecom, internet service providers, and universities across multiple countries in the Middle East and Africa.
“The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions,” researchers from SentinelOne said in a new report.
The cybersecurity firm codenamed the “pragmatic” group Metador in reference to a string “I am meta” in one of their malware samples and because of Spanish-language responses from the command-and-control (C2) servers.
The threat actor is said to have primarily focused on the development of cross-platform malware in its pursuit of espionage aims. Other hallmarks of the campaign are the limited number of intrusions and long-term access to targets.
This includes two different Windows malware platforms called metaMain and Mafalda that are expressly engineered to operate in-memory and elude detection. metaMain also acts as a conduit to deploy Mafalda, a flexible interactive implant supporting 67 commands.
metaMain, for its part, is feature-rich on its own, enabling the adversary to maintain long-term access, log keystrokes, download and upload arbitrary files, and execute shellcode.
In a sign that Mafalda is being actively maintained by its developers, the malware gained support for 13 new commands between two variants compiled in April and December 2021, adding options for credential theft, network reconnaissance, and file system manipulation.
Another notable tactic entails the use of unusual living-off-the-land (LotL) binaries – legitimate executables local to the operating system – to “kick off their execution chains in ways that fool native security solutions into whitelisting their attack chains,” the company said.
Attack chains have further involved an unknown Linux malware that’s employed to gather information from the compromised environment and funnel it back to Mafalda. The entry vector used to facilitate the intrusions is unknown as yet.
What’s more, references in the internal commands documentation for Mafalda suggest a clear separation of responsibilities between the developers and operators. Ultimately though, Metador’s attribution remains a “garbled mystery.”
“Moreover, the technical complexity of the malware and its active development suggest a well-resourced group able to acquire, maintain and extend multiple frameworks,” researchers Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski noted.
Although samples unearthed to date go back as far as late 2020, it’s currently not known how long the group has been operational. What’s amply clear is that Metador is highly selective of its targets and the toolkit isn’t changing hands freely.
“We have artifacts pointing to late 2020 but it’s worth noting that the earliest variant of the Mafalda platform we were able to recover was already on build version 144,” Guerrero-Saade, senior director of SentinelLabs, told The Hacker News. “It’s likely this group has been active for several years before anyone caught on.”