Banking Trojan campaigns are nothing new, as cybercriminals have been able to utilize this type of attack to steal banking information countless times. A new campaign, dubbed “Metamorfo,” can be added to this list as it is the latest banking Trojan assault to pop up on security researchers’ radars. Metamorfo, so-named by the researchers at FireEye, has been specifically focusing its attack on Brazilian financial institutions.
The report that FireEye Labs produced on the Metamorfo campaign has helped provide insight into the methodology of the attacks. There are two campaigns within Metamorfo that the report focuses on. In the first campaign, the banking Trojan is deployed by baiting the victim via email. The email in question contains “an HTML attachment with a refresh tag that uses a Google URL shortener.” This URL, when clicked, sends the victim to a cloud storage site where they are prompted to download a .zip file that, once extracted and the contents are executed, will infect the machine.
The reason that the victim would follow this obvious path to infection that the file holds a legitimate, signed Windows tool, tricking users into trusting a “real” executable (pvk2pfx.exe). After infection, the banking Trojan starts sniffing for banking activity and recording this type of activity with screenshots. This is somewhat different from the second analyzed campaign, for while the attack methods are the same, the second Metamorfo Trojan functions slightly differently.
In the second campaign, there is another phishing email with a link that eventually leads to another .zip file containing the banking Trojan. Yet again, the file utilizes a “legitimate” Windows executable (Certmgr.exe) to trick users into executing the Trojan. The Trojan even collects data the same way as the first Trojan. So what is different? The difference in campaign No. 2 is that, according to FireEye:
The malware displays fake forms on top of the banking sites and intercepts credentials from the victims. It can also display a fake Windows Update whenever there is nefarious activity in the background. The sample also contains a keylogger functionality.
The banking Trojan attacks of Metamorfo are representative of “malspam” attacks, which have been on the rise lately. The fact that this campaign, in particular, exploits legitimate Windows components, and makes convincing phishing emails, means that people should be on their guard.
For the love of everything, don’t execute files of unknown origin!
Photo credit: Pixabay