Hide Navigation Hide TOC

Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	1
Metador - G1013 (bfc5ddb3-4dfb-4278-8928-020e1b3feddd)	Intrusion Set	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	2
metaMain - S1059 (df350889-4de9-44e5-8cb3-888b8343e97c)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	2
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
Mafalda - S1060 (3be1fb7a-0f7e-415e-8e3a-74a80d596e68)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	3
DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3