Threat Research

Exploring the Metamorfo Banking Trojan

Securonix

Metamorfo, also known as Casbaneiro, is a banking Trojan that deploys a multi-stage infection chain involving nested archives, obfuscated scripts, and PowerShell payloads to harvest data and persist on compromised systems. The analysis highlights geo-targeting to the Americas and a workflow that downloads payloads from multiple remote hosts and configures persistence mechanisms like startup items and registry changes. #Metamorfo #Casbaneiro #PowerShell #HTA #AutoIt #BankingTrojan #Forcepoint

Keypoints

  • Infection chain spans Eml -> zip -> html -> url (evasive) -> zip -> hta -> ps1 -> zip -> a3x (encoded script) -> shellcode.
  • HTML and HTA stages use obfuscation; deobfuscation reveals the connecting URL.
  • Geo-evasive delivery observed; in some locations a zip is downloaded from a site after visiting the URL.
  • PowerShell stage collects system information, reports to compromised hosts, downloads and executes payloads, and creates startup persistence.
  • Registry changes add an admin user; shortcuts and batch files in AppData and Startup folder help persistence; system shutdown can aid persistence on reboot.
  • Dropper components include AutoIt executables and .a3x scripts; safeboot and batch actions facilitate data theft and persistence.
  • Victim focus: banking credentials with primary targeting of the Americas; distribution via email attachments.

MITRE Techniques

  • [T1566.001] Phishing – Attachment – The malware is distributed via email urges user to click on the attachment. ‘The malware is distributed via email urges user to click on the attachment.’
  • [T1027.001] Obfuscated/Compressed Files and Information – HTML obfuscated; ‘HTML contains basic obfuscation which on de-obfuscating gives the URL which the file is trying to connect.’
  • [T1105] Ingress Tool Transfer – PowerShell downloads a ZIP from a remote server; ‘PowerShell connects to hxxps://facturacioncontable[.]com/m.zip and downloads a zip file which contains multiple files.’
  • [T1059.001] PowerShell – Command and Scripting Interpreter – ‘PowerShell behavior in brief: Checking for system information, installed antiviruses, computer name, and OS versions.’
  • [T1547.001] Boot or Logon Autostart Execution – Startup Folder – ‘Script creates multiple shortcuts and batch file in different locations including AppData and StartUp folder.’
  • [T1112] Modify Registry – ‘Registry modifications to add new user account with admin privileges.’
  • [T1562.001] Impair Defenses – ‘Attempts to disable or bypass security measures such as Antivirus software and disabling security services.’
  • [T1041] Exfiltration Over C2 – ‘Establishes remote sever connection and sends collected system information to compromised sites.’

Indicators of Compromise

  • [IP Address] – Connection to multiple C2 hosts; 54.39.10[.]87, 20.206.126[.]228, and 18 more addresses
  • [Domains] – Domains associated with infrastructure; vqz8[.]gotdns[.]ch, nhoquemassa[.]com, and 18 more domains
  • [URLs] – Command and update delivery endpoints; hxxp://86.38.217[.]167/13/index[.]php, hxxp://86.38.217[.]167/ps1/index[.]php, and 13 more
  • [HTML hashes] – 428fe9b7608cd82303e27103c3058ecd61bd58a6, bbf3387c82a600053e2fdfef6491cc20d099dd0a
  • [PowerShell hashes] – a9e9df6762418bbed030e825099282da59278db0, e2218b08b6dd53fa115ad50b70f41d0f0a080ce6
  • [.a3x file] – 2bd4acea5c3bf107cc6615af65d1617c847814cc, 4b5b7cf403ac7d6e3dd787104e3e6bd088743815

Read more: https://www.forcepoint.com/blog/x-labs/exploring-metamorfo-banking-malware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint