Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb

Metamorfo Trojan Revamped to Evade Antivirus Protections

The Metamorfo Trojan, which has targeted banks and other financial institutions in Brazil, has been revamped by threat actors to better evade antivirus and other security protections.

Security efforts can feel like a battle -- full of actions and counteractions that lead to some sort of resolution. It's tempting to see this as the end of the problem, but threat actors do not give up so easily.

The events surrounding the Metamorfo banking Trojan make this clear.

In April of this year, FireEye identified several widespread malware spam campaigns that targeted Brazilian companies and tied those attacks to Metamorfo.

The first method started with an email containing an HTML attachment that had a refresh tag using a Google URL shortener as the target. When the URL is loaded, it redirects the victim to a cloud storage site such as GitHub, Dropbox or Google Drive to download a ZIP file.

(Source: iStock)
(Source: iStock)

The victim must unzip the archive and double-click the contained executable for the infection chain to continue. More VBS code is then downloaded from a cloud site containing the Trojan and the legitimate Windows tool that it pretends to be when it acts.

The second method that was used is quite similar to the first, except that a different legitimate Microsoft tool is used, and the landing sites may have changed.

Both resultant Trojans check if the foreground window's title contains the names of Brazilian banks or digital coins by looking for hardcoded strings.

So, countermeasures for this version of Metamorfo could be taken. But the threat actors have struck back against those countermeasures.

Cisco Talos recently found two separate infection processes that attackers have used between late October and early November. The researchers note that these campaigns used different file types from each other for the initial download and infection process, and ultimately delivered two separate banking Trojans that target Brazilian financial institutions.

The first of the new threats begins with a Windows LNK file that then downloads a PowerShell script with an image filename extension -- .bmp or .png -- from the attacker's URL. This script is used to download an archive hosted on Amazon Web Services (AWS) that contains the Trojan and a DLL that is designed to set up the Trojan.

In the second campaign, the attackers leveraged malicious PE32 executables were used to perform the initial stage of the infection process rather than Windows shortcut files (LNK). These PE32 executables were delivered in ZIP archives.

The PE32 files are used to create a batch file in a subdirectory of "%TEMP%," which executes PowerShell with the instructions to download the contents hosted on the attacker-controlled server and pass it to the Invoke-Expression (IEX).

So, the PowerShell script retrieves and executes the malicious payload.

This payload is different from the one seen by FireEye in that it can target and then confuse two-factor authentication protection through the display of fake pop-ups to the user.

Talos researchers also found additional tools and malware hosted on the Amazon S3 Bucket used in these campaigns. This malware is a remote administration tool with the capability to create emails.

The threat actors have adapted to the changing situations by creating different campaigns that have the same goal of stealing money but use differing ways to get there. Preventative actions such as AV tools using static string analysis developed for the initial campaign will not work against the second wave since the methods and files used in them have changed.

Metamorfo shows how cybercriminals will continually respond to the efforts of the security team by innovating new ways to achieve their same goals.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-08
Dell iDRAC8 versions prior to contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary ‘Host’ header values to poison a web-cache or trigger redirections.
PUBLISHED: 2021-03-08
Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation.
PUBLISHED: 2021-03-08
Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site scripting (XSS). Users are able to create folders in the web application. The folder name is insufficiently validated resulting in a stored cross-site scripting vulnerability.
PUBLISHED: 2021-03-08
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulner...
PUBLISHED: 2021-03-08
PowerScale OneFS 8.1.2,8.2.2 and 9.1.0 contains an improper input sanitization issue in a command. The Compadmin user could potentially exploit this vulnerability, leading to potential privileges escalation.