Metamorfo
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Casbaneiro | (Citation: ESET Casbaneiro Oct 2019) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Metamorfo has used HTTP for C2.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Metamorfo has configured persistence to the Registry ket |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Metamorfo has used |
| .005 | Command and Scripting Interpreter: Visual Basic |
Metamorfo has used VBS code on victims’ systems.(Citation: FireEye Metamorfo Apr 2018) |
||
| .007 | Command and Scripting Interpreter: JavaScript |
Metamorfo includes payloads written in JavaScript.(Citation: Medium Metamorfo Apr 2020) |
||
| Enterprise | T1565 | .002 | Data Manipulation: Transmitted Data Manipulation |
Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Metamorfo has encrypted C2 commands with AES-256.(Citation: ESET Casbaneiro Oct 2019) |
| .002 | Encrypted Channel: Asymmetric Cryptography |
Metamorfo's C2 communication has been encrypted using OpenSSL.(Citation: Medium Metamorfo Apr 2020) |
||
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.(Citation: Medium Metamorfo Apr 2020) |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Metamorfo has side-loaded its malicious DLL file.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Metamorfo has deleted itself from the system after execution.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019) |
| .002 | Input Capture: GUI Input Capture |
Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.(Citation: FireEye Metamorfo Apr 2018) |
||
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019) |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Metamorfo has used VMProtect to pack and protect files.(Citation: Fortinet Metamorfo Feb 2020) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Metamorfo has been delivered to victims via emails with malicious HTML attachments.(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).(Citation: Medium Metamorfo Apr 2020) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Metamorfo collects a list of installed antivirus software from the victim’s system.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Metamorfo has digitally signed executables using AVAST Software certificates.(Citation: Medium Metamorfo Apr 2020) |
| Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
Metamorfo has used mshta.exe to execute a HTA payload.(Citation: FireEye Metamorfo Apr 2018) |
| .007 | System Binary Proxy Execution: Msiexec |
Metamorfo has used MsiExec.exe to automatically execute files.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019) |
||
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019) |
| Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
Metamorfo has used YouTube to store and hide C&C server domains.(Citation: ESET Casbaneiro Oct 2019) |
| .003 | Web Service: One-Way Communication |
Metamorfo has downloaded a zip file for execution on the system.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020) |
||
References
- Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
- Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
- ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
- Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.