Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Metador
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Metador
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Metador

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)
ID: G1013
Associated Groups: 
Version: 1.1
Created: 25 Jan 2023
Last Modified: 11 Apr 2024

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Metador has used HTTP for C2.(Citation: SentinelLabs Metador Sept 2022)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Metador has used the Windows command line to execute commands.(Citation: SentinelLabs Metador Sept 2022)
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Metador has established persistence through the use of a WMI event subscription combined with unusual living-off-the-land binaries such as `cdb.exe`.(Citation: SentinelLabs Metador Sept 2022)
Enterprise T1070 .004 Indicator Removal: File Deletion

Metador has quickly deleted `cbd.exe` from a compromised host following the successful deployment of their malware.(Citation: SentinelLabs Metador Sept 2022)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Metador has encrypted their payloads.(Citation: SentinelLabs Metador Sept 2022)
Enterprise T1588 .001 Obtain Capabilities: Malware

Metador has used unique malware in their operations, including metaMain and Mafalda.(Citation: SentinelLabs Metador Sept 2022)
.002 Obtain Capabilities: Tool

Metador has used Microsoft's Console Debugger in some of their operations.(Citation: SentinelLabs Metador Sept 2022)

Software
ID Name References Techniques
S1060 Mafalda (Citation: SentinelLabs Metador Sept 2022) (Citation: SentinelLabs Metador Technical Appendix Sept 2022) Screen Capture, System Owner/User Discovery, Standard Encoding, Encrypted/Encoded File, External Remote Services, Local Data Staging, Symmetric Cryptography, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Modify Registry, Browser Information Discovery, Private Keys, Clear Windows Event Logs, LSASS Memory, System Network Configuration Discovery, File and Directory Discovery, System Network Connections Discovery, Port Knocking, Make and Impersonate Token, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Input Capture, Non-Application Layer Protocol, Query Registry, Security Software Discovery, Windows Command Shell, Access Token Manipulation, Web Protocols, Debugger Evasion, Ingress Tool Transfer, Service Execution, Internal Proxy
S1059 metaMain (Citation: SentinelLabs Metador Sept 2022) (Citation: SentinelLabs Metador Technical Appendix Sept 2022) Screen Capture, System Owner/User Discovery, Keylogging, Encrypted/Encoded File, Archive via Custom Method, Local Data Staging, Symmetric Cryptography, DLL, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Time Based Evasion, Modify Registry, File and Directory Discovery, Port Knocking, Process Discovery, Windows Management Instrumentation Event Subscription, Exfiltration Over C2 Channel, Input Capture, Non-Application Layer Protocol, File Deletion, Web Protocols, Ingress Tool Transfer, Internal Proxy

References

  1. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  2. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.