Jump to content

Search the Community

Showing results for tags 'metamorfo'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 2 results

  1. Metamorfo Banking Trojan Abuses AutoHotKey to Avoid Detection A legitimate binary for creating shortcut keys in Windows is being used to help the malware sneak past defenses, in a rash of new campaigns. The Metamorfo banking trojan is abusing AutoHotKey (AHK) and the AHK compiler to evade detection and steal users’ information, researchers have warned. AHK is a scripting language for Windows originally developed to create keyboard shortcuts (i.e., hot keys). According to the Cofense Phishing Defense Center (PDC), the malware (a.k.a. Mekotio) is targeting Spanish-language users using two separate emails as an initial infection vector. One is a purported request to download a password-protected file; and the other is an elaborate spoofed notification about pending legal documents, with a link that downloads a .ZIP file. Metamorfo Abusing AHK In both cases, the malicious code is contained in a .ZIP file that’s ultimately downloaded to victim computers. It contains three files: the legitimate AHK compiler executable (.EXE), a malicious AHK script (.AHK) and the banking trojan itself (.DLL). These are unpacked into a randomly named file housed in C:\\ProgramData. A script will then run the AHK compiler, the AHK compiler will execute the AHK script, and the AHK script will finally load Metamorfo into the AHK compiler memory. “[Metamorfo] will then operate from within the AHK compiler process, using the signed binary as a front to make detection more difficult for endpoint solutions,” researchers explained, in a posting on Thursday. For persistence, copies of all three files are also placed in a new folder. “It will then use a run key to initiate the execution chain every time the system restarts by executing the renamed copy of the AHK compiler,” according to the report. Metamorfo Resurgence in LatAm, Europe Metamorfo started life as a Latin American banking trojan, first discovered in April 2018, in various campaigns that share key commonalities (like the use of “spray-and-pray” spam tactics). Its campaigns however have small, “morphing” differences — which is the meaning behind its name. A variant that emerged in February 2020, for instance, kills the auto-suggest data entry fields in browsers, forcing victims to write out their passwords – which it then tracks via a keylogger. That trick is also present in the latest attacks, according to the PDC, with cybercrooks targeting customers of banks in Latin America and Europe (including France, Portugal and Spain). Metamorfo monitors browser activity looking for targeted banks, which are listed in the form of strings in the AHK compiler process memory, researchers explained. When a victim opens one of the targeted banking pages, Metamorfo overlays it with a fake version of the webpage designed to harvest credentials. “[Metamorfo] disables specific registry browser values associated with password and form suggestions and autocompletion,” researchers said. “This forces the user to type in sensitive information, even if they have it saved in their browser history, allowing the malware to capture credentials with its keylogging capabilities.” This version of the trojan can also monitor Bitcoin addresses copied to a clipboard and replace them with one belonging to the attackers. “As of this writing, this specific attacker address had a balance of 0.01957271 BTC, approximately $800,” researchers said. Metamorfo’s Banking Trojan Infection Routine The PDC encountered two main mechanisms for delivering the payload in these campaigns. In the first instance, there is a .ZIP file containing an MSI file that includes a malicious domain harboring 32 and 64-bit versions of a second .ZIP file; and in the second scenario the original .ZIP file drops a shortcut file containing a malicious Finger command. Finger.exe is a native Windows command that allows the retrieval of information about a remote user. “The Custom Actions table of these MSI files enables the incorporation of custom code to the installation package and is often abused by attackers,” said the researchers. “[The table] shows an action titled ‘dqidwlCTIewiuap’ containing obfuscated JavaScript. The JavaScript is responsible for downloading the correct version of the .ZIP file from the payload site, unzipping its contents, renaming and placing it into a new randomly named folder.” In the second instance, a command is used to contact a server, which displays the contents of a hosted file in a command shell. The file in question is a PowerShell script that will run in this shell. “The script carries out similar actions to the MSI: it downloads a ZIP file, renames it, copies it to a newly created folder and unzips it there,” researchers explained. “The PDC also saw both tactics combined in at least one case, by incorporating the malicious Finger command directly into the MSI Custom Actions table.” Users can protect themselves by being wary of what files they download and also by checking their machines for random new file folders in the Windows Program Data directory. “The main takeaway is that legitimate binaries can be leveraged as a façade for malicious activity,” researchers concluded. “Vigilance is key. If a file or process is not meant to be there, it’s best to check.” Source: Metamorfo Banking Trojan Abuses AutoHotKey to Avoid Detection
  2. Metamorfo Returns with Keylogger Trick to Target Financial Firms The malware uses a tactic to force victims to retype passwords into their systems – which it tracks via a keylogger Researchers have discovered a recent spate of phishing emails spreading a new variant of Metamorfo, a financial malware known for targeting Brazilian companies. Now, however, it’s expanding its geographic range and adding a new technique. Metamorfo was first discovered in April 2018, in various campaigns that share key commonalities (like the use of “spray and pray” spam tactics). These campaigns however have small, “morphing” differences — which is the meaning behind its name. This newest variant, which targets payment-card data and credentials at financial institutions with Windows platforms, packs a new trick up its sleeve. Once executed, the malware kills the auto-suggest data entry fields in browsers, forcing victims to write out their passwords – which it then tracks via a keylogger. It’s also changing in other ways: “Metamorfo is a malware family that was observed targeting the customers of online financial institutions,” said researcher Xiaopeng Zhang, with Fortinet’s FortiGuard Labs, in a post this week. “This… Metamorfo variant targets the customers of even more financial institutions across multiple countries.” Infection The recent variant is first spread via phishing emails that distribute a ZIP archive containing an MSI file (named “view-(AVISO)2020.msi”). Researchers inspected this MSI file’s stream (a sequence of bytes written to files, giving more information about their attributes) and found JavaScript code mixed in with a wide swath of garbage strings. The extracted and de-obfuscated code revealed that the MSI file downloads a ZIP file from a URL, which then adds itself into the auto-run group in the victim’s system registry to ensure that it runs automatically whenever the infected system starts. This ZIP file also contains three files (“cMejBlQe.exe,” “M6WnYxAh” and “YvSVUyps.dll”) that are decompressed into a newly-created folder and renamed with random strings, which then run an AutoIT script execution program. Researchers said that AutoIt, a legitimate, freeware programming language for Microsoft Windows, has been abused by a various malware families in the past as a method to help them bypass antivirus detection. The command line finally loads a DLL file code with the payload. This is protected by a packer, VMProtect, which is a “very strong packer that supports dynamic code protection when the target process is running,” said FortiGuard researchers. “This creates a big challenge for analysts. For example, all API addresses are hidden and are dynamically calculated before calling.” Tricks In a new tactic for Metamorfo, once executed it terminates running browsers (including Microsoft IE, Mozilla Firefox, Google Chrome, Microsoft Edge and Opera), and then modifies various registry keys to disable Internet Explorers’ functions, like auto-complete and auto-suggest. The malware also has the ability to display a control asking the victim to enter their passwords. Researchers said these dual functionalities enable the malware to track victims’ passwords as they manually write them out – enabling the malware operators to keep tabs on passwords even if they’re changed. “What is the purpose of killing the browsers and disabling their auto-complete and auto-suggest functions? This action forces the victim to hand-enter data without auto-complete, such as whole URLs, along with login-name, password and so on in the browser,” said Zhang. “This allows the malware’s keylogger function to record the largest number of actions from the victim’s input.” The malware also was able to display a fake message to the victim asking them to enter legitimate security confirmation codes they had received, in a tricky technique for attackers to bypass two-factor authentication (2FA), Zhang told Threatpost. “Sometimes financial websites use 2FA to protect their customers like sending a security code via SMS/email to the customer, then verifying the customer’s input on the website,” he said. “Since the attacker could not get the code, the verification will fail. So this malware strain asks for the code from the victim by prompting a fake message.” Beyond this technique, the malware’s arsenal of capabilities are similar to older variants: It collects information such as the OS version, computer name, installed antivirus software and more from the victim’s systems, and also creates tasks to monitor Bitcoin wallet addresses on the system clipboard, and to detect whether or not the victim is accessing a financial institution website. The Metamorfo news comes on the heels of the return of the CamuBot malware, also known for targeting Brazilian bank customers. In a slew of highly personalized attacks, CamuBot is targeting victims’ mobile banking apps as an extra step to evade detection when making fraudulent transfers. Source
  • Create New...