Skip to content

S0455 Metamorfo

Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.12

Item Value
ID S0455
Associated Names Casbaneiro
Version 2.0
Created 26 May 2020
Last Modified 18 October 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Casbaneiro 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Metamorfo has used HTTP for C2.12
enterprise T1010 Application Window Discovery Metamorfo can enumerate all windows on the victim’s machine.43
enterprise T1119 Automated Collection Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.4
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Metamorfo has configured persistence to the Registry ket HKCU\Software\Microsoft\Windows\CurrentVersion\Run, Spotify =% APPDATA%\Spotify\Spotify.exe and used .LNK files in the startup folder to achieve persistence.1432
enterprise T1115 Clipboard Data Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker’s.32
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Metamorfo has used cmd.exe /c to execute files.1
enterprise T1059.005 Visual Basic Metamorfo has used VBS code on victims’ systems.4
enterprise T1059.007 JavaScript Metamorfo includes payloads written in JavaScript.1
enterprise T1565 Data Manipulation -
enterprise T1565.002 Transmitted Data Manipulation Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker’s address.32
enterprise T1140 Deobfuscate/Decode Files or Information Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.142
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Metamorfo has encrypted C2 commands with AES-256.2
enterprise T1573.002 Asymmetric Cryptography Metamorfo‘s C2 communication has been encrypted using OpenSSL.1
enterprise T1041 Exfiltration Over C2 Channel Metamorfo can send the data it collects to the C2 server.2
enterprise T1083 File and Directory Discovery Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.134
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Metamorfo has side-loaded its malicious DLL file.142
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.14
enterprise T1070 Indicator Removal Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.4
enterprise T1070.004 File Deletion Metamorfo has deleted itself from the system after execution.13
enterprise T1105 Ingress Tool Transfer Metamorfo has used MSI files to download additional files to execute.1432
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.32
enterprise T1056.002 GUI Input Capture Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.4
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.12
enterprise T1112 Modify Registry Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.1342
enterprise T1106 Native API Metamorfo has used native WINAPI calls.13
enterprise T1095 Non-Application Layer Protocol Metamorfo has used raw TCP for C2.4
enterprise T1571 Non-Standard Port Metamorfo has communicated with hosts over raw TCP on port 9999.4
enterprise T1027 Obfuscated Files or Information Metamorfo has encrypted payloads and strings.12
enterprise T1027.002 Software Packing Metamorfo has used VMProtect to pack and protect files.3
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Metamorfo has been delivered to victims via emails with malicious HTML attachments.42
enterprise T1057 Process Discovery Metamorfo has performed process name checks and has monitored applications.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).1
enterprise T1113 Screen Capture Metamorfo can collect screenshots of the victim’s machine.42
enterprise T1129 Shared Modules Metamorfo had used AutoIt to load and execute the DLL payload.3
enterprise T1518 Software Discovery Metamorfo has searched the compromised system for banking applications.42
enterprise T1518.001 Security Software Discovery Metamorfo collects a list of installed antivirus software from the victim’s system.32
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Metamorfo has digitally signed executables using AVAST Software certificates.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta Metamorfo has used mshta.exe to execute a HTA payload.4
enterprise T1218.007 Msiexec Metamorfo has used MsiExec.exe to automatically execute files.32
enterprise T1082 System Information Discovery Metamorfo has collected the hostname and operating system version from the compromised host.432
enterprise T1033 System Owner/User Discovery Metamorfo has collected the username from the victim’s machine.2
enterprise T1124 System Time Discovery Metamorfo uses JavaScript to get the system time.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.42
enterprise T1497 Virtualization/Sandbox Evasion Metamorfo has embedded a “vmdetect.exe” executable to identify virtual machines at the beginning of execution.1
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver Metamorfo has used YouTube to store and hide C&C server domains.2
enterprise T1102.003 One-Way Communication Metamorfo has downloaded a zip file for execution on the system.143