Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Metador
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Metador
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Metador

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)
ID: G1013
Associated Groups: 
Created: 25 Jan 2023
Last Modified: 11 Apr 2024

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Metador has used HTTP for C2.(Citation: SentinelLabs Metador Sept 2022)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Metador has used the Windows command line to execute commands.(Citation: SentinelLabs Metador Sept 2022)
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Metador has established persistence through the use of a WMI event subscription combined with unusual living-off-the-land binaries such as `cdb.exe`.(Citation: SentinelLabs Metador Sept 2022)
Enterprise T1070 .004 Indicator Removal: File Deletion

Metador has quickly deleted `cbd.exe` from a compromised host following the successful deployment of their malware.(Citation: SentinelLabs Metador Sept 2022)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Metador has encrypted their payloads.(Citation: SentinelLabs Metador Sept 2022)
Enterprise T1588 .001 Obtain Capabilities: Malware

Metador has used unique malware in their operations, including metaMain and Mafalda.(Citation: SentinelLabs Metador Sept 2022)
.002 Obtain Capabilities: Tool

Metador has used Microsoft's Console Debugger in some of their operations.(Citation: SentinelLabs Metador Sept 2022)

Software
ID Name References Techniques
S1060 Mafalda (Citation: SentinelLabs Metador Sept 2022) (Citation: SentinelLabs Metador Technical Appendix Sept 2022) Port Knocking, Make and Impersonate Token, External Remote Services, Standard Encoding, Windows Command Shell, Clear Windows Event Logs, Modify Registry, Private Keys, Service Execution, Non-Application Layer Protocol, Local Data Staging, Data from Local System, Deobfuscate/Decode Files or Information, PowerShell, Internal Proxy, Process Discovery, Input Capture, Web Protocols, System Network Connections Discovery, Query Registry, Browser Information Discovery, Screen Capture, Exfiltration Over C2 Channel, Symmetric Cryptography, System Information Discovery, Ingress Tool Transfer, System Network Configuration Discovery, System Owner/User Discovery, Access Token Manipulation, Native API, File and Directory Discovery, Debugger Evasion, Security Software Discovery, Encrypted/Encoded File, LSASS Memory
S1059 metaMain (Citation: SentinelLabs Metador Sept 2022) (Citation: SentinelLabs Metador Technical Appendix Sept 2022) System Owner/User Discovery, Encrypted/Encoded File, Process Discovery, Local Data Staging, Non-Application Layer Protocol, Windows Management Instrumentation Event Subscription, Reflective Code Loading, Modify Registry, Deobfuscate/Decode Files or Information, Archive via Custom Method, Input Capture, Native API, Screen Capture, Web Protocols, Time Based Evasion, Data from Local System, File and Directory Discovery, Exfiltration Over C2 Channel, Internal Proxy, DLL Side-Loading, Ingress Tool Transfer, File Deletion, Keylogging, Symmetric Cryptography, Timestomp, Process Injection, Port Knocking, System Information Discovery

References

  1. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  2. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.