A recent spate of financial malware campaigns targeting Brazilian companies, collectively dubbed Metamorfo, uses “spray and pray” spam tactics to ensnare their victims. Across the various offensives, the bad actors are abusing legitimate, signed binaries to load the malicious code.
As the name Metamorfo suggests, the campaigns share much in common – including the use of a multi-stage infection path, the use of a legitimate Windows tool as a side-loader and the use of cloud storage to host the bad code – but with slight, morphing differences.
For instance, in one campaign examined by FireEye Labs, the kill chain starts with an email (purporting to concern an electronic funds transfer) containing an HTML attachment. The attachment redirects to a Google-shortened URL, which in turn redirects the victim to a cloud storage site such as GitHub, Dropbox or Google Drive to download a ZIP file. The user has to unzip the archive and double-click the executable for the infection chain to continue.
If downloaded, the ZIP file unpacks to install the legitimate, signed Windows tool, which is subsequently abused to side-load the banking trojan (also included in the archive).
From there, the payload malware sets about spying on the victim to sniff out their online banking activity, comparing the sites they visit against an extensive hardcoded list of Brazilian banking and digital coin URLs. If it finds a match, it creates a folder to store screenshots, as well as the number of mouse clicks the user has triggered while browsing the banking sites. FireEye researchers said that the screenshots are continuously saved as .jpg images.
In another Metamorfo campaign, FireEye observed the malicious emails dangling links instead of attachments. The URLs point to both legitimate and bogus domains, which then redirect to the same cloud sites mentioned above, hosting a slightly different ZIP file. This one contains a malicious executable that drops a VBS file, which then fetches the same side-loading tool and trojan from the C2 server.
Like the trojan from the first campaign, this sample checks for activity on specific Brazilian bank and digital coin sites; it also performs a country-code check.
This malware is slightly different however, in that it displays fake forms on top of the banking sites and intercepts credentials from the victims. It can also display a fake Windows Update whenever there is nefarious activity in the background.
“The use of multi-stage infection chains makes it challenging to research these types of campaigns all the way through,” said FireEye researchers Edson Sierra and Gerardo Iglesias, in an analysis. “The attackers are using various techniques to evade detection and infect unsuspecting Portuguese-speaking users with banking trojans. The use of public cloud infrastructure to help deliver the different stages plays a particularly big role in delivering the malicious payload.”
The technique of using a real Windows tool for bad purposes is a unique feature of Metamorfo, they added; but it’s not brand-new. The tactic was first seen by FireEye in the fourth quarter of 2017, when a similar “malspam” campaign delivered the same type of banking trojan by using an embedded JAR file attached in the email, instead of an HTML attachment or link. On execution, the Java code automatically fetched the ZIP archive from Google Drive, Dropbox or Github.