Metamorfo
Metamorfo is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly Brazilian users.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1010 | Application Window Discovery |
Metamorfo can enumerate all windows on the victim’s machine.[2][3] |
|
| Enterprise | T1119 | Automated Collection |
Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.[2] |
|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Metamorfo has written its executable path to a Registry Run key and used .LNK files in the startup folder to achieve persistence.[1][2][3] |
| Enterprise | T1115 | Clipboard Data |
Metamorfo has a function to receive data from the system clipboard.[3] |
|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
| .007 | Command and Scripting Interpreter: JavaScript/JScript | |||
| .005 | Command and Scripting Interpreter: Visual Basic | |||
| Enterprise | T1565 | .002 | Data Manipulation: Transmitted Data Manipulation |
Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address.[3] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Upon execution, Metamorfo has unzipped itself after being downloaded to the system.[1][2] |
|
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Metamorfo's C2 communication has been encrypted using OpenSSL.[1] |
| Enterprise | T1083 | File and Directory Discovery |
Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.[1][3][2] |
|
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.[1] |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading | |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.[1][2] |
| Enterprise | T1070 | Indicator Removal on Host |
Metamorfo has a command to delete a Registry key it uses, |
|
| .004 | File Deletion |
Metamorfo has deleted itself from the system after execution.[1][3] |
||
| Enterprise | T1105 | Ingress Tool Transfer |
Metamorfo has used MSI to download files for execution.[1][2][3] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Metamorfo has a command to launch a keylogger on the victim’s machine.[3] |
| .002 | Input Capture: GUI Input Capture |
Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.[2] |
||
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer.[1] |
| Enterprise | T1112 | Modify Registry |
Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.[1][3][2] |
|
| Enterprise | T1106 | Native API | ||
| Enterprise | T1095 | Non-Application Layer Protocol | ||
| Enterprise | T1571 | Non-Standard Port |
Metamorfo has communicated with hosts over raw TCP on port 9999.[2] |
|
| Enterprise | T1027 | Obfuscated Files or Information | ||
| .002 | Software Packing | |||
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Metamorfo has been delivered to victims via emails containing malicious HTML attachments.[2] |
| Enterprise | T1057 | Process Discovery |
Metamorfo has performed process name checks and has monitored applications.[1] |
|
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).[1] |
| Enterprise | T1113 | Screen Capture |
Metamorfo can collect screenshots of the victim’s machine.[2] |
|
| Enterprise | T1129 | Shared Modules |
Metamorfo had used AutoIt to load and execute the DLL payload.[3] |
|
| Enterprise | T1218 | .005 | Signed Binary Proxy Execution: Mshta | |
| .007 | Signed Binary Proxy Execution: Msiexec |
Metamorfo has used MsiExec.exe to automatically execute files.[3] |
||
| Enterprise | T1518 | Software Discovery |
Metamorfo has searched the system for an extensive list of Brazilian banking software.[2] |
|
| .001 | Security Software Discovery |
Metamorfo collects a list of installed antivirus software from the victim’s system.[3] |
||
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Metamorfo has digitally signed executables using AVAST Software certificates.[1] |
| Enterprise | T1082 | System Information Discovery |
Metamorfo has collected the hostname and Operating System version from the system.[2][3] |
|
| Enterprise | T1124 | System Time Discovery | ||
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Metamorfo requires the user to double-click the executable to run the malicious HTA file.[2] |
| Enterprise | T1497 | Virtualization/Sandbox Evasion |
Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution.[1] |
|
| Enterprise | T1102 | .003 | Web Service: One-Way Communication |
Metamorfo has downloaded a zip file for execution on the system.[1][2][3] |