Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb

Metamorfo Trojan Revamped to Evade Antivirus Protections

The Metamorfo Trojan, which has targeted banks and other financial institutions in Brazil, has been revamped by threat actors to better evade antivirus and other security protections.

Security efforts can feel like a battle -- full of actions and counteractions that lead to some sort of resolution. It's tempting to see this as the end of the problem, but threat actors do not give up so easily.

The events surrounding the Metamorfo banking Trojan make this clear.

In April of this year, FireEye identified several widespread malware spam campaigns that targeted Brazilian companies and tied those attacks to Metamorfo.

The first method started with an email containing an HTML attachment that had a refresh tag using a Google URL shortener as the target. When the URL is loaded, it redirects the victim to a cloud storage site such as GitHub, Dropbox or Google Drive to download a ZIP file.

The victim must unzip the archive and double-click the contained executable for the infection chain to continue. More VBS code is then downloaded from a cloud site containing the Trojan and the legitimate Windows tool that it pretends to be when it acts.

The second method that was used is quite similar to the first, except that a different legitimate Microsoft tool is used, and the landing sites may have changed.

Both resultant Trojans check if the foreground window's title contains the names of Brazilian banks or digital coins by looking for hardcoded strings.

So, countermeasures for this version of Metamorfo could be taken. But the threat actors have struck back against those countermeasures.

Cisco Talos recently found two separate infection processes that attackers have used between late October and early November. The researchers note that these campaigns used different file types from each other for the initial download and infection process, and ultimately delivered two separate banking Trojans that target Brazilian financial institutions.

The first of the new threats begins with a Windows LNK file that then downloads a PowerShell script with an image filename extension -- .bmp or .png -- from the attacker's URL. This script is used to download an archive hosted on Amazon Web Services (AWS) that contains the Trojan and a DLL that is designed to set up the Trojan.

In the second campaign, the attackers leveraged malicious PE32 executables were used to perform the initial stage of the infection process rather than Windows shortcut files (LNK). These PE32 executables were delivered in ZIP archives.

The PE32 files are used to create a batch file in a subdirectory of "%TEMP%," which executes PowerShell with the instructions to download the contents hosted on the attacker-controlled server and pass it to the Invoke-Expression (IEX).

So, the PowerShell script retrieves and executes the malicious payload.

This payload is different from the one seen by FireEye in that it can target and then confuse two-factor authentication protection through the display of fake pop-ups to the user.

Talos researchers also found additional tools and malware hosted on the Amazon S3 Bucket used in these campaigns. This malware is a remote administration tool with the capability to create emails.

The threat actors have adapted to the changing situations by creating different campaigns that have the same goal of stealing money but use differing ways to get there. Preventative actions such as AV tools using static string analysis developed for the initial campaign will not work against the second wave since the methods and files used in them have changed.

Metamorfo shows how cybercriminals will continually respond to the efforts of the security team by innovating new ways to achieve their same goals.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.