Metamorfo is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly brazilian users.[1]

ID: S0455
Platforms: Windows
Contributors: Chen Erlich, @chen_erlich, enSilo
Version: 1.0
Created: 26 May 2020
Last Modified: 25 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Metamorfo has used HTTP for downloading items.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Metamorfo has written its executable path to the Registry Run key to achieve persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Metamorfo has used cmd.exe /c to execute files.[1]

.007 Command and Scripting Interpreter: JavaScript/JScript

Metamorfo developed the payload using JavaScript.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Upon execution, Metamorfo has unzipped itself after being downloaded to the system.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Metamorfo's C&C communication has been encrypted using OpenSSL.[1]

Enterprise T1083 File and Directory Discovery

Metamorfo has searched files and directories for various files and strings related to its mutexes.[1]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Metamorfo has side-loaded its malicious DLL file.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Metamorfo has deleted itself from the system after execution.[1]

Enterprise T1105 Ingress Tool Transfer

Metamorfo has used MSI to download files for execution.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer.[1]

Enterprise T1112 Modify Registry

Metamorfo has written process names to the Registry.[1]

Enterprise T1106 Native API

Metamorfo has used native WINAPI calls.[1]

Enterprise T1027 Obfuscated Files or Information

Metamorfo has obfuscated and encrypted some payloads.[1]

Enterprise T1057 Process Discovery

Metamorfo has performed process name checks and has monitored applications.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Metamorfo has digitally signed executables using Avast.[1]

Enterprise T1124 System Time Discovery

Metamorfo uses JavaScript to get the system time.[1]

Enterprise T1497 Virtualization/Sandbox Evasion

Metamorfo has embedded a "vmdetect.exe" executable to execute right at the start to identify virtual machines.[1]