Metador

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.[1]

ID: G1013
Contributors: Massimiliano Romano, BT Security; Sittikorn Sangrattanapitak
Version: 1.1
Created: 25 January 2023
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Metador has used HTTP for C2.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Metador has used the Windows command line to execute commands.[1]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Metador has established persistence through the use of a WMI event subscription combined with unusual living-off-the-land binaries such as cdb.exe.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

Metador has quickly deleted cbd.exe from a compromised host following the successful deployment of their malware.[1]

Enterprise T1105 Ingress Tool Transfer

Metador has downloaded tools and malware onto a compromised system.[1]

Enterprise T1095 Non-Application Layer Protocol

Metador has used TCP for C2.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Metador has encrypted their payloads.[1]

Enterprise T1588 .001 Obtain Capabilities: Malware

Metador has used unique malware in their operations, including metaMain and Mafalda.[1]

.002 Obtain Capabilities: Tool

Metador has used Microsoft's Console Debugger in some of their operations.[1]

Software

ID Name References Techniques
S1060 Mafalda [1][2] Access Token Manipulation: Make and Impersonate Token, Access Token Manipulation, Application Layer Protocol: Web Protocols, Browser Information Discovery, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Debugger Evasion, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, External Remote Services, File and Directory Discovery, Indicator Removal: Clear Windows Event Logs, Ingress Tool Transfer, Input Capture, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Encrypted/Encoded File, OS Credential Dumping: LSASS Memory, Process Discovery, Proxy: Internal Proxy, Query Registry, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Traffic Signaling: Port Knocking, Unsecured Credentials: Private Keys
S1059 metaMain [1][2] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Custom Method, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Exfiltration Over C2 Channel, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: File Deletion, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Process Injection, Proxy: Internal Proxy, Reflective Code Loading, Screen Capture, System Information Discovery, System Owner/User Discovery, Traffic Signaling: Port Knocking, Virtualization/Sandbox Evasion: Time Based Evasion

References