A new variant
of the Metamorfo banking malware is on the loose targeting a wider range of
financial institutions than the original version tricking the victims into
typing in sensitive information which it then steals.
Labs captured an example of the newest edition noting that unlike its
predecessor, which only aimed at Brazilian banks, this model is hitting
financial institutions across a wide swath of the globe. These include 20
financial institutions in multiple countries, including the U.S., Canada, Peru,
Chile, Spain, Brazil, Ecuador, Mexico, and others.
from a technical standpoint Metamorfo 2.0 does share some similarities with the
In both cases an MSI file, an installer package file format used by Windows, is being spread through a ZIP archive and the MSI file is parsed and executed automatically by MsiExec.exe when a user double clicks on it in Windows OS, said FortiGuard analyst Xiaopeng Zhang.
then downloads a file from he URL
“hxxp[:]//www[.]chmsc[.]edu[.]ph/library/modules/down/op57.lts. This is in
fact a ZIP file that itself contains three additional files. These are all
decompressed and renamed with random strings.
The three then
executed and also added to the auto-run group in the system registry so they
run automatically whenever the system is restarted.
its first step is to kill Microsoft IE, Mozilla Firefox, Google Chrome,
Microsoft Edge and Opera along with the auto-fill functionality that most people
This last maneuver
is the key to what Metamorfo’s malicious function.
forces the victim to hand-enter data without auto-complete, such as whole URLs,
along with login-name, password, and so on in the browser. This allows the
malware’s key logger function to record the largest number of actions from the
victim’s input,” Zhang said.
also collects OS version, computer name and installed AV software and then
sends a note to its command and control server informing it that another
computer has been infected.
also checks the computer to see if it has a bitcoin wallet and if so overwrites
the address of the rightful owner with that of the criminal actors thus the
victim will unknowingly transfer money to their attacker.
The post Metamofo banking malware spreads around the world appeared first on SC Media.