Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb

Metamorfo Trojan Revamped to Evade Antivirus Protections

The Metamorfo Trojan, which has targeted banks and other financial institutions in Brazil, has been revamped by threat actors to better evade antivirus and other security protections.

Security efforts can feel like a battle -- full of actions and counteractions that lead to some sort of resolution. It's tempting to see this as the end of the problem, but threat actors do not give up so easily.

The events surrounding the Metamorfo banking Trojan make this clear.

In April of this year, FireEye identified several widespread malware spam campaigns that targeted Brazilian companies and tied those attacks to Metamorfo.

The first method started with an email containing an HTML attachment that had a refresh tag using a Google URL shortener as the target. When the URL is loaded, it redirects the victim to a cloud storage site such as GitHub, Dropbox or Google Drive to download a ZIP file.

The victim must unzip the archive and double-click the contained executable for the infection chain to continue. More VBS code is then downloaded from a cloud site containing the Trojan and the legitimate Windows tool that it pretends to be when it acts.

The second method that was used is quite similar to the first, except that a different legitimate Microsoft tool is used, and the landing sites may have changed.

Both resultant Trojans check if the foreground window's title contains the names of Brazilian banks or digital coins by looking for hardcoded strings.

So, countermeasures for this version of Metamorfo could be taken. But the threat actors have struck back against those countermeasures.

Cisco Talos recently found two separate infection processes that attackers have used between late October and early November. The researchers note that these campaigns used different file types from each other for the initial download and infection process, and ultimately delivered two separate banking Trojans that target Brazilian financial institutions.

The first of the new threats begins with a Windows LNK file that then downloads a PowerShell script with an image filename extension -- .bmp or .png -- from the attacker's URL. This script is used to download an archive hosted on Amazon Web Services (AWS) that contains the Trojan and a DLL that is designed to set up the Trojan.

In the second campaign, the attackers leveraged malicious PE32 executables were used to perform the initial stage of the infection process rather than Windows shortcut files (LNK). These PE32 executables were delivered in ZIP archives.

The PE32 files are used to create a batch file in a subdirectory of "%TEMP%," which executes PowerShell with the instructions to download the contents hosted on the attacker-controlled server and pass it to the Invoke-Expression (IEX).

So, the PowerShell script retrieves and executes the malicious payload.

This payload is different from the one seen by FireEye in that it can target and then confuse two-factor authentication protection through the display of fake pop-ups to the user.

Talos researchers also found additional tools and malware hosted on the Amazon S3 Bucket used in these campaigns. This malware is a remote administration tool with the capability to create emails.

The threat actors have adapted to the changing situations by creating different campaigns that have the same goal of stealing money but use differing ways to get there. Preventative actions such as AV tools using static string analysis developed for the initial campaign will not work against the second wave since the methods and files used in them have changed.

Metamorfo shows how cybercriminals will continually respond to the efforts of the security team by innovating new ways to achieve their same goals.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-28
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is ...
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.