Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Metamorfo

Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019)
ID: S0455
Associated Software: Casbaneiro
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 26 May 2020
Last Modified: 11 Apr 2024

Associated Software Descriptions

Name Description
Casbaneiro (Citation: ESET Casbaneiro Oct 2019)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Metamorfo has used HTTP for C2.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Metamorfo has configured persistence to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run, Spotify =% APPDATA%\Spotify\Spotify.exe and used .LNK files in the startup folder to achieve persistence.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Metamorfo has used cmd.exe /c to execute files.(Citation: Medium Metamorfo Apr 2020)

.005 Command and Scripting Interpreter: Visual Basic

Metamorfo has used VBS code on victims’ systems.(Citation: FireEye Metamorfo Apr 2018)

.007 Command and Scripting Interpreter: JavaScript

Metamorfo includes payloads written in JavaScript.(Citation: Medium Metamorfo Apr 2020)

Enterprise T1565 .002 Data Manipulation: Transmitted Data Manipulation

Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Metamorfo has encrypted C2 commands with AES-256.(Citation: ESET Casbaneiro Oct 2019)

.002 Encrypted Channel: Asymmetric Cryptography

Metamorfo's C2 communication has been encrypted using OpenSSL.(Citation: Medium Metamorfo Apr 2020)

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.(Citation: Medium Metamorfo Apr 2020)

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Metamorfo has side-loaded its malicious DLL file.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)

Enterprise T1070 .004 Indicator Removal: File Deletion

Metamorfo has deleted itself from the system after execution.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)

Enterprise T1056 .001 Input Capture: Keylogging

Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)

.002 Input Capture: GUI Input Capture

Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.(Citation: FireEye Metamorfo Apr 2018)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Metamorfo has used VMProtect to pack and protect files.(Citation: Fortinet Metamorfo Feb 2020)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Metamorfo has encrypted payloads and strings.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Metamorfo has been delivered to victims via emails with malicious HTML attachments.(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).(Citation: Medium Metamorfo Apr 2020)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Metamorfo collects a list of installed antivirus software from the victim’s system.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Metamorfo has digitally signed executables using AVAST Software certificates.(Citation: Medium Metamorfo Apr 2020)

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Metamorfo has used mshta.exe to execute a HTA payload.(Citation: FireEye Metamorfo Apr 2018)

.007 System Binary Proxy Execution: Msiexec

Metamorfo has used MsiExec.exe to automatically execute files.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)

Enterprise T1204 .002 User Execution: Malicious File

Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019)

Enterprise T1102 .001 Web Service: Dead Drop Resolver

Metamorfo has used YouTube to store and hide C&C server domains.(Citation: ESET Casbaneiro Oct 2019)

.003 Web Service: One-Way Communication

Metamorfo has downloaded a zip file for execution on the system.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.