Metamorfo Trojan Revamped to Evade Antivirus Protections

Security efforts can feel like a battle -- full of actions and counteractions that lead to some sort of resolution. It's tempting to see this as the end of the problem, but threat actors do not give up so easily.

The events surrounding the Metamorfo banking Trojan make this clear.

In April of this year, FireEye identified several widespread malware spam campaigns that targeted Brazilian companies and tied those attacks to Metamorfo.

The first method started with an email containing an HTML attachment that had a refresh tag using a Google URL shortener as the target. When the URL is loaded, it redirects the victim to a cloud storage site such as GitHub, Dropbox or Google Drive to download a ZIP file.

(Source: iStock)

The victim must unzip the archive and double-click the contained executable for the infection chain to continue. More VBS code is then downloaded from a cloud site containing the Trojan and the legitimate Windows tool that it pretends to be when it acts.

The second method that was used is quite similar to the first, except that a different legitimate Microsoft tool is used, and the landing sites may have changed.

Both resultant Trojans check if the foreground window's title contains the names of Brazilian banks or digital coins by looking for hardcoded strings.

So, countermeasures for this version of Metamorfo could be taken. But the threat actors have struck back against those countermeasures.

Cisco Talos recently found two separate infection processes that attackers have used between late October and early November. The researchers note that these campaigns used different file types from each other for the initial download and infection process, and ultimately delivered two separate banking Trojans that target Brazilian financial institutions.

The first of the new threats begins with a Windows LNK file that then downloads a PowerShell script with an image filename extension -- .bmp or .png -- from the attacker's URL. This script is used to download an archive hosted on Amazon Web Services (AWS) that contains the Trojan and a DLL that is designed to set up the Trojan.

In the second campaign, the attackers leveraged malicious PE32 executables were used to perform the initial stage of the infection process rather than Windows shortcut files (LNK). These PE32 executables were delivered in ZIP archives.

The PE32 files are used to create a batch file in a subdirectory of "%TEMP%," which executes PowerShell with the instructions to download the contents hosted on the attacker-controlled server and pass it to the Invoke-Expression (IEX).

So, the PowerShell script retrieves and executes the malicious payload.

This payload is different from the one seen by FireEye in that it can target and then confuse two-factor authentication protection through the display of fake pop-ups to the user.

Talos researchers also found additional tools and malware hosted on the Amazon S3 Bucket used in these campaigns. This malware is a remote administration tool with the capability to create emails.

The threat actors have adapted to the changing situations by creating different campaigns that have the same goal of stealing money but use differing ways to get there. Preventative actions such as AV tools using static string analysis developed for the initial campaign will not work against the second wave since the methods and files used in them have changed.

Metamorfo shows how cybercriminals will continually respond to the efforts of the security team by innovating new ways to achieve their same goals.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.