S0455 Metamorfo
Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.12
| Item | Value |
|---|---|
| ID | S0455 |
| Associated Names | Casbaneiro |
| Type | MALWARE |
| Version | 2.0 |
| Created | 26 May 2020 |
| Last Modified | 18 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Casbaneiro | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Metamorfo has used HTTP for C2.12 |
| enterprise | T1010 | Application Window Discovery | Metamorfo can enumerate all windows on the victim’s machine.43 |
| enterprise | T1119 | Automated Collection | Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.4 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Metamorfo has configured persistence to the Registry ket HKCU\Software\Microsoft\Windows\CurrentVersion\Run, Spotify =% APPDATA%\Spotify\Spotify.exe and used .LNK files in the startup folder to achieve persistence.1432 |
| enterprise | T1115 | Clipboard Data | Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker’s.32 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Metamorfo has used cmd.exe /c to execute files.1 |
| enterprise | T1059.005 | Visual Basic | Metamorfo has used VBS code on victims’ systems.4 |
| enterprise | T1059.007 | JavaScript | Metamorfo includes payloads written in JavaScript.1 |
| enterprise | T1565 | Data Manipulation | - |
| enterprise | T1565.002 | Transmitted Data Manipulation | Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker’s address.32 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.142 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Metamorfo has encrypted C2 commands with AES-256.2 |
| enterprise | T1573.002 | Asymmetric Cryptography | Metamorfo‘s C2 communication has been encrypted using OpenSSL.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Metamorfo can send the data it collects to the C2 server.2 |
| enterprise | T1083 | File and Directory Discovery | Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.134 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | Metamorfo has side-loaded its malicious DLL file.142 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.14 |
| enterprise | T1070 | Indicator Removal | Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.4 |
| enterprise | T1070.004 | File Deletion | Metamorfo has deleted itself from the system after execution.13 |
| enterprise | T1105 | Ingress Tool Transfer | Metamorfo has used MSI files to download additional files to execute.1432 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.32 |
| enterprise | T1056.002 | GUI Input Capture | Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.4 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.12 |
| enterprise | T1112 | Modify Registry | Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.1342 |
| enterprise | T1106 | Native API | Metamorfo has used native WINAPI calls.13 |
| enterprise | T1095 | Non-Application Layer Protocol | Metamorfo has used raw TCP for C2.4 |
| enterprise | T1571 | Non-Standard Port | Metamorfo has communicated with hosts over raw TCP on port 9999.4 |
| enterprise | T1027 | Obfuscated Files or Information | Metamorfo has encrypted payloads and strings.12 |
| enterprise | T1027.002 | Software Packing | Metamorfo has used VMProtect to pack and protect files.3 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Metamorfo has been delivered to victims via emails with malicious HTML attachments.42 |
| enterprise | T1057 | Process Discovery | Metamorfo has performed process name checks and has monitored applications.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).1 |
| enterprise | T1113 | Screen Capture | Metamorfo can collect screenshots of the victim’s machine.42 |
| enterprise | T1129 | Shared Modules | Metamorfo had used AutoIt to load and execute the DLL payload.3 |
| enterprise | T1518 | Software Discovery | Metamorfo has searched the compromised system for banking applications.42 |
| enterprise | T1518.001 | Security Software Discovery | Metamorfo collects a list of installed antivirus software from the victim’s system.32 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Metamorfo has digitally signed executables using AVAST Software certificates.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.005 | Mshta | Metamorfo has used mshta.exe to execute a HTA payload.4 |
| enterprise | T1218.007 | Msiexec | Metamorfo has used MsiExec.exe to automatically execute files.32 |
| enterprise | T1082 | System Information Discovery | Metamorfo has collected the hostname and operating system version from the compromised host.432 |
| enterprise | T1033 | System Owner/User Discovery | Metamorfo has collected the username from the victim’s machine.2 |
| enterprise | T1124 | System Time Discovery | Metamorfo uses JavaScript to get the system time.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.42 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | Metamorfo has embedded a “vmdetect.exe” executable to identify virtual machines at the beginning of execution.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.001 | Dead Drop Resolver | Metamorfo has used YouTube to store and hide C&C server domains.2 |
| enterprise | T1102.003 | One-Way Communication | Metamorfo has downloaded a zip file for execution on the system.143 |
References
-
Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩