InfoSec News & Investigations

Metamofo banking malware spreads around the world

A new variant
of the Metamorfo banking malware is on the loose targeting a wider range of
financial institutions than the original version tricking the victims into
typing in sensitive information which it then steals.

Fortinet’s FortGuard
Labs captured an example of the newest edition noting that unlike its
predecessor, which only aimed at Brazilian banks, this model is hitting
financial institutions across a wide swath of the globe. These include 20
financial institutions in multiple countries, including the U.S., Canada, Peru,
Chile, Spain, Brazil, Ecuador, Mexico, and others.

However,
from a technical standpoint Metamorfo 2.0 does share some similarities with the
first model.

In both cases an MSI file, an installer package file format used by Windows, is being spread through a ZIP archive and the MSI file is parsed and executed automatically by MsiExec.exe when a user double clicks on it in Windows OS, said FortiGuard analyst Xiaopeng Zhang.

Contained in
the payload is a small amount of JavaScript, hidden amongst a great deal of
fake JavaScript that is put in just to obfuscate the dangerous code.

This code
then downloads a file from he URL
“hxxp[:]//www[.]chmsc[.]edu[.]ph/library/modules/down/op57.lts. This is in
fact a ZIP file that itself contains three additional files. These are all
decompressed and renamed with random strings.

The three then
executed and also added to the auto-run group in the system registry so they
run automatically whenever the system is restarted.

When running
its first step is to kill Microsoft IE, Mozilla Firefox, Google Chrome,
Microsoft Edge and Opera along with the auto-fill functionality that most people
have activated.

This last maneuver
is the key to what Metamorfo’s malicious function.

“This action
forces the victim to hand-enter data without auto-complete, such as whole URLs,
along with login-name, password, and so on in the browser. This allows the
malware’s key logger function to record the largest number of actions from the
victim’s input,” Zhang said.

The malware
also collects OS version, computer name and installed AV software and then
sends a note to its command and control server informing it that another
computer has been infected.

The malware
also checks the computer to see if it has a bitcoin wallet and if so overwrites
the address of the rightful owner with that of the criminal actors thus the
victim will unknowingly transfer money to their attacker.

The post Metamofo banking malware spreads around the world appeared first on SC Media.

Original Source