Metamorfo banking Trojan employs new tricks, expands its campaign

Metamorfo malware steals users' passwords with the help of a keylogging trick

Metamorfo malware keylogging featureThe newest variant of Metamorfo banking Trojan wipes out browser auto-fill data in order to steal users' passwords

Security researchers from Fortinet have recently spotted a new variant of a previously known Windows malware Metamorfo[1] – it is accustomed to targeting customers of over 20 financial institutions. First discovered in April 2018, the banking Trojan was seen targeting users around the world, although the most recent campaign focuses on North and South-American countries like the US, Canada, Chile, Brazil, Mexico, Ecuador, Chile, Peru, and others.

The first variant analyzed by Fortinet emerged in January, and targeted Brazilian financial institution customers with phishing emails written in Portuguese, and included a malicious link that delivered the infectious file. The newest version aims to expand the operation of Metamorfo Trojan across targets in other countries, and it also has multiple new tricks not seen in this malware family before.

Once the Trojan infects the system, it erases the auto-suggest and auto-complete information from all the browsers, making users re-type their passwords when trying to login to the online banking account. As a result, the password is stolen and sent to a remote server, which allows the threat actors to abuse the financial information by selling it online or using it to steal money directly.

The phishing campaign uses fake Invoices

Most of the phishing emails[2] that were spotted by researchers included a link to a malicious URL that would download an alleged Electronic Invoice. Translated from Portuguese, an example of suchlike email body read as follows:

Electronic note issued by the service provider:

NFe: 00032850086
Company Name: Constru MEI
CCM: 9786

See below:

In reality, what users would download is a malicious .zip file that includes view-(AVISO)2020.msi inside of it, which, once clicked, is processed with the help of MsiExec.exe – a built-in Windows process used to install new programs. After several other steps and VBS code execution, the malware is finally planted of the target's device – this allows Metamorfo to perform changes needed for the malicious data-harvesting operations.

Fortinet researcher Xiaopeng Zhang explains the analysis of this latest campaign:

Analyzing this latest MSI file, I discovered that it also has a stream with the same name –“!_StringData” – where I found a piece of JavaScript code that had been mixed in with a huge amount of garbage strings. After I extracted and de-obfuscated the JavaScript code, it was easy to see what the code does.

The malware forces users to re-type the online banking password in order to harvest it and send it to criminals to a Command & Control server

After Metamorfo infection is triggered, it immediately checks whether it landed in a sandbox or Virtual Machine environment – if either of these is true, it exits without performing any further actions (a common feature of malware – it helps it avoid analysis). Upon execution, it runs an AutoIt script program (which automates various Windows graphical user interface (GUI) scripting commands) – it helps the Trojan to avoid detection by security applications, in case any are installed on the system.[3]

Metamorfo then closes down all browsers that are running at the time, forcing users to restart them. At that time, the Trojan deletes all the information that was used for the auto-complete and auto-suggest feature within the Google Chrome, Mozilla Firefox, Internet Explorer, MS Edge, or Opera browser. As a result, users are unable to login to online banking services until they re-type their passwords manually, which are recorded with the help of keylogging function.[4] This information is then sent to a remote Command & Control server controlled by the threat actors.

Xiaopeng Zhang also said that malware posses multiple other functions that help it to bypass two-factor authentication by showing victims fake security confirmation prompts:[5]

Sometimes financial websites use 2FA to protect their customers like sending a security code via SMS/email to the customer, then verifying the customer’s input on the website,” he said. “Since the attacker could not get the code, the verification will fail. So this malware strain asks for the code from the victim by prompting a fake message

Users should use caution when clicking links or opening attachments inside emails – pointing the mouse on the link would show the real address within the hyperlink. Besides, clipped files that ask to execute macro functions are most certainly booby-trapped with malware. Employing reputable anti-malware that includes real-time web protection function can also prevent malicious files from being downloaded and run on a Windows machine.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions