A previously unknown threat actor that researchers have named ‘Metador’ has been breaching telecommunications, internet services providers (ISPs), and universities for about two years.
Metador targets organizations in the Middle East and Africa and their purpose appears to be long-term persistence for espionage. The group uses two Windows-based malware that have been described as “extremely complex” but there are indications of Linux malware, too.
Analysis of the malware and the infrastructure did not reveal clues to attribute Metador with sufficient confidence, one characteristic of the group being that it is “highly aware of operations security.”
SentinelLabs notes in their report that Metador is “managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions.”
The commands include file operations, reading contents of directories, manipulate the registry, reconnaissance of the network and the system, and exfiltrating data to the command and control (C2) server.
Mafalda is likely developed by a dedicated team of authors, as SentinelLabs saw comments in the code addressed to the operators.