Metamorfo Banking Trojan
PC security researchers observed a threat, the Metamorfo Banking Trojan, in May 2018. The Metamorfo Banking Trojan attacks target computer users located in Brazil mainly. The Metamorfo Banking Trojan is delivered as a corrupted HTML file attachment contained in phishing emails designed to trick the computer users into believing that they have received a wire transfer notification from their banks. When the HTML is opened, the Metamorfo Banking Trojan is downloaded from Dropbox, Google Drive, or GitHub, and installed on the infected computer. The Metamorfo Banking Trojan's payload is contained in a ZIP archive, which contains an executable file that installs the Metamorfo Banking Trojan when the ZIP file is opened.
Table of Contents
How the Metamorfo Banking Trojan Attack Works
The Metamorfo Banking Trojan will scan the affected computer's browser history for Brazilian banks and online money exchanges. The Metamorfo Banking Trojan starts up automatically when the affected computer starts up, and whenever the victim visits websites connected to these financial institutions. The Metamorfo Banking Trojan will take screenshots and attempt to log keystrokes and mouse clicks to obtain the victim's passwords. The Metamorfo Banking Trojan also will interfere with the affected computer, preventing the victim from running the following file processes:
msconfig.exe; TASKMGR.exe; regedit.exe; ccleaner64.exe; taskmgr.exe; Itauaplicativo.exe
Once installed, the Metamorfo Banking Trojan will connect to Command and Control servers to receive commands and relay information about the infected computer. The Metamorfo Banking Trojan has communicated with these servers via the following IP addresses (and new ones are likely being added constantly as these are detected and removed):
80[.]211.140[.]235
87[.]98.146[.]34
212[.]237.46[.]6
185[.]43.209[.]182
The Metamorfo Banking Trojan has several variants, all having in common the basic architecture of the attack and the target types used in these attacks. The distribution methods may vary, but it is clear that the Metamorfo Banking Trojan is part of a coordinated malware campaign designed to target computer users located in Brazil. The list of banking institutions associated with the Metamorfo Banking Trojan attack is quite extensive, and it is hard-coded into the Metamorfo Banking Trojan itself.
Variants of the Metamorfo Banking Trojan Attacks
Apart from the Metamorfo Banking Trojan variant that monitors the victim's activities to collect login information for online banking services, some Metamorfo Banking Trojan variants have been observed relying on a different approach. These versions of the Metamorfo Banking Trojan, like its other variants, will still monitor the victim's online activities, waiting for the victim to visit a Brazilian banking website. However, in this case, when the victim visits one of these websites, the Metamorfo Banking Trojan displays a fake version of the website on the victim's Web browser, tricking the victims into entering their login credentials into the fake website. This information is then forwarded to the Metamorfo Banking Trojan's Command and Control servers. One aspect of the Metamorfo Banking Trojan attacks that makes it difficult for PC security researchers to deal with the different variants of the Metamorfo Banking Trojan is the fact that there are several stages involved in the attack, initiated via corrupted email attachments and resulting in the installation of malware on the victim's computer eventually, which then communicates with its Command and Control servers. To install the Metamorfo Banking Trojan, the victim may be exposed to an initial compromised HTML file, a file with an embedded JavaScript, or other typical malware distribution methods. This makes attacks like the Metamorfo Banking Trojan flexible in their approach and difficult to deal with.
Protecting Your Banking Account from the Metamorfo Banking Trojan
Unless you monitor your computer constantly, it is difficult to notice the presence of the Metamorfo Banking Trojan. Because of this, a strong security program that is fully up-to-date should be used to monitor your activities in real time. Learning how to recognize and respond to email tactics also is essential in preventing attacks like the Metamorfo Banking Trojan.
