1. Home
  2. Software
  3. Metamorfo

Metamorfo

Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.[1][2]

ID: S0455
Associated Software: Casbaneiro
Type: MALWARE
Platforms: Windows
Contributors: Jose Luis Sánchez Martinez; Chen Erlich, @chen_erlich, enSilo
Version: 2.1
Created: 26 May 2020
Last Modified: 11 April 2024
Version Permalink

Associated Software Descriptions

Name Description
Casbaneiro

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Metamorfo has used HTTP for C2.[1][2]

Enterprise T1010 Application Window Discovery

Metamorfo can enumerate all windows on the victim’s machine.[3][4]
Enterprise T1119 Automated Collection

Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.[3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Metamorfo has configured persistence to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run, Spotify =% APPDATA%\Spotify\Spotify.exe and used .LNK files in the startup folder to achieve persistence.[1][3][4][2]
Enterprise T1115 Clipboard Data

Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.[4][2]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Metamorfo has used cmd.exe /c to execute files.[1]

.005 Command and Scripting Interpreter: Visual Basic

Metamorfo has used VBS code on victims’ systems.[3]
.007 Command and Scripting Interpreter: JavaScript

Metamorfo includes payloads written in JavaScript.[1]

Enterprise T1565 .002 Data Manipulation: Transmitted Data Manipulation

Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address.[4][2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.[1][3][2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Metamorfo has encrypted C2 commands with AES-256.[2]

.002 Encrypted Channel: Asymmetric Cryptography

Metamorfo's C2 communication has been encrypted using OpenSSL.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Metamorfo can send the data it collects to the C2 server.[2]

Enterprise T1083 File and Directory Discovery

Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.[1][4][3]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.[1]

Enterprise T1574 .001 Hijack Execution Flow: DLL

Metamorfo has side-loaded its malicious DLL file.[1][3][2]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.[1][3]

Enterprise T1070 Indicator Removal

Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.[3]
.004 File Deletion

Metamorfo has deleted itself from the system after execution.[1][4]
Enterprise T1105 Ingress Tool Transfer

Metamorfo has used MSI files to download additional files to execute.[1][3][4][2]

Enterprise T1056 .001 Input Capture: