|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1010||Application Window Discovery||
Metamorfo can enumerate all windows on the victim’s machine.
Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||
Metamorfo has configured persistence to the Registry ket
Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell|
|.005||Command and Scripting Interpreter: Visual Basic|
|Enterprise||T1565||.002||Data Manipulation: Transmitted Data Manipulation||
Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address.
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.
|Enterprise||T1573||.001||Encrypted Channel: Symmetric Cryptography|
|.002||Encrypted Channel: Asymmetric Cryptography||
Metamorfo's C2 communication has been encrypted using OpenSSL.
|Enterprise||T1041||Exfiltration Over C2 Channel||
Metamorfo can send the data it collects to the C2 server.
|Enterprise||T1083||File and Directory Discovery||
Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.
|Enterprise||T1564||.003||Hide Artifacts: Hidden Window||
Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.
|Enterprise||T1574||.002||Hijack Execution Flow: DLL Side-Loading|
|Enterprise||T1562||.001||Impair Defenses: Disable or Modify Tools||
Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.
Metamorfo has a command to delete a Registry key it uses,
Metamorfo has deleted itself from the system after execution.
|Enterprise||T1105||Ingress Tool Transfer||
Metamorfo has used MSI files to download additional files to execute.
|Enterprise||T1056||.001||Input Capture: Keylogging||
Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.
|.002||Input Capture: GUI Input Capture||
Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.
|Enterprise||T1036||.005||Masquerading: Match Legitimate Name or Location||
Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.
Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.
|Enterprise||T1095||Non-Application Layer Protocol|
Metamorfo has communicated with hosts over raw TCP on port 9999.
|Enterprise||T1027||Obfuscated Files or Information|
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment||
Metamorfo has been delivered to victims via emails with malicious HTML attachments.
Metamorfo has performed process name checks and has monitored applications.
|Enterprise||T1055||.001||Process Injection: Dynamic-link Library Injection||
Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).
Metamorfo can collect screenshots of the victim’s machine.
Metamorfo had used AutoIt to load and execute the DLL payload.
Metamorfo has searched the compromised system for banking applications.
|.001||Security Software Discovery||
Metamorfo collects a list of installed antivirus software from the victim’s system.
|Enterprise||T1553||.002||Subvert Trust Controls: Code Signing||
Metamorfo has digitally signed executables using AVAST Software certificates.
|Enterprise||T1218||.005||System Binary Proxy Execution: Mshta|
|.007||System Binary Proxy Execution: Msiexec||
Metamorfo has used MsiExec.exe to automatically execute files.
|Enterprise||T1082||System Information Discovery||
Metamorfo has collected the hostname and operating system version from the compromised host.
|Enterprise||T1033||System Owner/User Discovery||
Metamorfo has collected the username from the victim's machine.
|Enterprise||T1124||System Time Discovery|
|Enterprise||T1204||.002||User Execution: Malicious File||
Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.
Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution.
|Enterprise||T1102||.001||Web Service: Dead Drop Resolver||
Metamorfo has used YouTube to store and hide C&C server domains.
|.003||Web Service: One-Way Communication||
Metamorfo has downloaded a zip file for execution on the system.