The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities
By Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski
– SentinelLabs researchers uncovered a never-before-seen advanced threat actor we’ve dubbed ‘Metador’.
– Metador primarily targets telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.
– The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions.
– Metador’s attack chains are designed to bypass native security solutions while deploying malware platforms directly into memory. SentinelLabs researchers discovered variants of two long-standing Windows malware platforms and indications of an additional Linux implant.
– At this time, there’s no clear, reliable sense of attribution. Traces point to multiple developers and operators who speak English and Spanish, alongside varied cultural references, including British pop punk lyrics and Argentinian political cartoons.
– While Metador appears primarily focused on enabling collection operations aligned with state interests, we’d point to the possibility of a high-end contractor arrangement not tied to a specific country.
This release is a call to action for threat intelligence researchers, service providers, and defenders to collaborate on tracking an elusive adversary acting with impunity.
The term ‘Magnet of Threats’ is used to describe targets so desirable that multiple threat actors regularly cohabitate on the same victim machine in the course of their collection. In the process of responding to a series of tangled intrusions at one of these Magnets of Threats, SentinelLabs researchers encountered an entirely new threat actor. We dubbed this threat actor ‘Metador’ in reference to the string “I am meta” in one of their malware samples and the expectation of Spanish-language responses from the command-and-control servers.
Our research on Metador was presented at the inaugural LABScon in Arizona. In this post, we offer a short summary of our full findings, which include a detailed report, threat indicators, and an extensive Technical Appendix.