1. Home
  2. Groups
  3. Metador

Metador

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.[1]

ID: G1013
Contributors: Massimiliano Romano, BT Security; Sittikorn Sangrattanapitak
Version: 1.1
Created: 25 January 2023
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

Metador has established persistence through the use of a WMI event subscription combined with unusual living-off-the-land binaries such as cdb.exe.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Metador has used the Windows command line to execute commands.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Metador has used HTTP for C2.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Metador has encrypted their payloads.[1]
Enterprise T1070 .004 移除指标: File Deletion

Metador has quickly deleted cbd.exe from a compromised host following the successful deployment of their malware.[1]

Enterprise T1588 .001 获取能力: Malware

Metador has used unique malware in their operations, including metaMain and Mafalda.[1]
.002 获取能力: Tool

Metador has used Microsoft's Console Debugger in some of their operations.[1]
Enterprise T1105 输入工具传输

Metador has downloaded tools and malware onto a compromised system.[1]
Enterprise T1095 非应用层协议

Metador has used TCP for C2.[1]

Software

ID Name References Techniques
S1060 Mafalda [1][2] 从本地系统获取数据, 代理: Internal Proxy, 修改注册表, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 外部远程服务, 屏幕捕获, 应用层协议: Web Protocols, 操作系统凭证转储: LSASS Memory, 数据分段: Local Data Staging, 数据编码: Standard Encoding, 文件和目录发现, 未加密凭证: Private Keys, 本机API, 查询注册表, 流量激活: Port Knocking, 浏览器信息发现, 混淆文件或信息: Encrypted/Encoded File, 移除指标: Clear Windows Event Logs, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 访问令牌操控: Make and Impersonate Token, 访问令牌操控, 调试器规避, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获, 进程发现, 通过C2信道渗出, 非应用层协议
S1059 metaMain [1][2] 事件触发执行: Windows Management Instrumentation Event Subscription, 从本地系统获取数据, 代理: Internal Proxy, 修改注册表, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 反射性代码加载, 反混淆/解码文件或信息, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据: Archive via Custom Method, 数据分段: Local Data Staging, 文件和目录发现, 本机API, 流量激活: Port Knocking, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 移除指标: Timestomp, 系统信息发现, 系统所有者/用户发现, 虚拟化/沙盒规避: Time Based Evasion, 输入工具传输, 输入捕获, 输入捕获: Keylogging, 进程发现, 进程注入, 通过C2信道渗出, 非应用层协议

References

  1. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  1. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.