Metamorfo is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly Brazilian users.[1]

ID: S0455
Platforms: Windows
Contributors: Chen Erlich, @chen_erlich, enSilo
Version: 1.1
Created: 26 May 2020
Last Modified: 22 October 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Metamorfo has used HTTP for downloading items.[1]

Enterprise T1010 Application Window Discovery

Metamorfo can enumerate all windows on the victim’s machine.[2][3]

Enterprise T1119 Automated Collection

Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Metamorfo has written its executable path to a Registry Run key and used .LNK files in the startup folder to achieve persistence.[1][2][3]

Enterprise T1115 Clipboard Data

Metamorfo has a function to receive data from the system clipboard.[3]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Metamorfo has used cmd.exe /c to execute files.[1]

.005 Command and Scripting Interpreter: Visual Basic

Metamorfo has used VBS code on victims’ systems.[2]

.007 Command and Scripting Interpreter: JavaScript

Metamorfo includes payloads written in JavaScript.[1]

Enterprise T1565 .002 Data Manipulation: Transmitted Data Manipulation

Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address.[3]

Enterprise T1140 Deobfuscate/Decode Files or Information

Upon execution, Metamorfo has unzipped itself after being downloaded to the system.[1][2]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Metamorfo's C2 communication has been encrypted using OpenSSL.[1]

Enterprise T1083 File and Directory Discovery

Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.[1][3][2]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Metamorfo has side-loaded its malicious DLL file.[1][2]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.[1][2]

Enterprise T1070 Indicator Removal on Host

Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.[2]

.004 File Deletion

Metamorfo has deleted itself from the system after execution.[1][3]

Enterprise T1105 Ingress Tool Transfer

Metamorfo has used MSI to download files for execution.[1][2][3]

Enterprise T1056 .001 Input Capture: Keylogging

Metamorfo has a command to launch a keylogger on the victim’s machine.[3]

.002 Input Capture: GUI Input Capture

Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.[2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer.[1]

Enterprise T1112 Modify Registry

Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.[1][3][2]

Enterprise T1106 Native API

Metamorfo has used native WINAPI calls.[1][3]

Enterprise T1095 Non-Application Layer Protocol

Metamorfo has used raw TCP for C2.[2]

Enterprise T1571 Non-Standard Port

Metamorfo has communicated with hosts over raw TCP on port 9999.[2]

Enterprise T1027 Obfuscated Files or Information

Metamorfo has obfuscated and encrypted some payloads.[1]

.002 Software Packing

Metamorfo has used VMProtect to pack and protect files.[3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Metamorfo has been delivered to victims via emails containing malicious HTML attachments.[2]

Enterprise T1057 Process Discovery

Metamorfo has performed process name checks and has monitored applications.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).[1]

Enterprise T1113 Screen Capture

Metamorfo can collect screenshots of the victim’s machine.[2]

Enterprise T1129 Shared Modules

Metamorfo had used AutoIt to load and execute the DLL payload.[3]

Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

Metamorfo has used mshta.exe to execute a HTA payload.[2]

.007 Signed Binary Proxy Execution: Msiexec

Metamorfo has used MsiExec.exe to automatically execute files.[3]

Enterprise T1518 Software Discovery

Metamorfo has searched the system for an extensive list of Brazilian banking software.[2]

.001 Security Software Discovery

Metamorfo collects a list of installed antivirus software from the victim’s system.[3]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Metamorfo has digitally signed executables using AVAST Software certificates.[1]

Enterprise T1082 System Information Discovery

Metamorfo has collected the hostname and Operating System version from the system.[2][3]

Enterprise T1124 System Time Discovery

Metamorfo uses JavaScript to get the system time.[1]

Enterprise T1204 .002 User Execution: Malicious File

Metamorfo requires the user to double-click the executable to run the malicious HTA file.[2]

Enterprise T1497 Virtualization/Sandbox Evasion

Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution.[1]

Enterprise T1102 .003 Web Service: One-Way Communication

Metamorfo has downloaded a zip file for execution on the system.[1][2][3]