Metamorfo Returns with Keylogger Trick to Target Financial Firms

metamorfo banking trojan attack

The malware uses a tactic to force victims to retype passwords into their systems – which it tracks via a keylogger.

Researchers have discovered a recent spate of phishing emails spreading a new variant of Metamorfo, a financial malware known for targeting Brazilian companies. Now, however, it’s expanding its geographic range and adding a new technique.

Metamorfo was first discovered in April 2018, in various campaigns that share key commonalities (like the use of “spray and pray” spam tactics). These campaigns however have small, “morphing” differences — which is the meaning behind its name.

This newest variant, which targets payment-card data and credentials at financial institutions with Windows platforms, packs a new trick up its sleeve. Once executed, the malware kills the auto-suggest data entry fields in browsers, forcing victims to write out their passwords – which it then tracks via a keylogger.

It’s also changing in other ways: “Metamorfo is a malware family that was observed targeting the customers of online financial institutions,” said researcher Xiaopeng Zhang, with Fortinet’s FortiGuard Labs, in a post this week. “This… Metamorfo variant targets the customers of even more financial institutions across multiple countries.”

The recent variant is first spread via phishing emails that distribute a ZIP archive containing an MSI file (named “view-(AVISO)2020.msi”). Researchers inspected this MSI file’s stream (a sequence of bytes written to files, giving more information about their attributes) and found JavaScript code mixed in with a wide swath of garbage strings.

The extracted and de-obfuscated code revealed that the MSI file downloads a ZIP file from a URL, which then adds itself into the auto-run group in the victim’s system registry to ensure that it runs automatically whenever the infected system starts. This ZIP file also contains three files (“cMejBlQe.exe,” “M6WnYxAh” and “YvSVUyps.dll”) that are decompressed into a newly-created folder and renamed with random strings, which then run an AutoIT script execution program.

Researchers said that AutoIt, a legitimate, freeware programming language for Microsoft Windows, has been abused by a various malware families in the past as a method to help them bypass antivirus detection.

The command line finally loads a DLL file code with the payload. This is protected by a packer, VMProtect, which is a “very strong packer that supports dynamic code protection when the target process is running,” said FortiGuard researchers. “This creates a big challenge for analysts. For example, all API addresses are hidden and are dynamically calculated before calling.”

In a new tactic for Metamorfo, once executed it terminates running browsers (including Microsoft IE, Mozilla Firefox, Google Chrome, Microsoft Edge and Opera), and then modifies various registry keys to disable Internet Explorers’ functions, like auto-complete and auto-suggest.

The malware also has the ability to display a control asking the victim to enter their passwords. Researchers said these dual functionalities enable the malware to track victims’ passwords as they manually write them out – enabling the malware operators to keep tabs on passwords even if they’re changed.

“What is the purpose of killing the browsers and disabling their auto-complete and auto-suggest functions? This action forces the victim to hand-enter data without auto-complete, such as whole URLs, along with login-name, password and so on in the browser,” said Zhang. “This allows the malware’s keylogger function to record the largest number of actions from the victim’s input.”

The malware also was able to display a fake message to the victim asking them to enter legitimate security confirmation codes they had received, in a tricky technique for attackers to bypass two-factor authentication (2FA), Zhang told Threatpost.

“Sometimes financial websites use 2FA to protect their customers like sending a security code via SMS/email to the customer, then verifying the customer’s input on the website,” he said. “Since the attacker could not get the code, the verification will fail. So this malware strain asks for the code from the victim by prompting a fake message.”

Beyond this technique, the malware’s arsenal of capabilities are similar to older variants: It collects information such as the OS version, computer name, installed antivirus software and more from the victim’s systems, and also creates tasks to monitor Bitcoin wallet addresses on the system clipboard, and to detect whether or not the victim is accessing a financial institution website.

The Metamorfo news comes on the heels of the return of the CamuBot malware, also known for targeting Brazilian bank customers. In a slew of  highly personalized attacks, CamuBot is targeting victims’ mobile banking apps as an extra step to evade detection when making fraudulent transfers.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

Suggested articles