Hide Navigation Hide TOC

Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970)	Attack Pattern	2
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	2
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	3
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	3
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3