Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries

FortiGuard Labs Threat Analysis

Metamorfo is a malware family that was observed targeting the customers of online financial institutions. Recently, FortiGuard Labs captured two different Metamorfo variants. We have already published an analysis blog for the first, which only targets the customers of Brazilian financial institutions. 

This second Metamorfo variant targets the customers of even more financial institutions across multiple countries. In this post you can see how it infects the machines of its victims and what it is able to do on a victim’s machine, including how it collects data and communicates with its command and control (C&C) server, as well as what C&C commands it supports.

Starting from the Captured Sample 

The captured sample used in this analysis is an MSI file named “view-(AVISO)2020.msi” that is spread through a ZIP archive, just as with the previous variant. In the previous analysis, I showed that this MSI file is parsed and executed automatically by MsiExec.exe when a user double clicks on it in Windows OS.

Analyzing this latest MSI file, I discovered that it also has a stream with the same name –“!_StringData” – where I found a piece of JavaScript code that had been mixed in with a huge amount of garbage strings. After I extracted and de-obfuscated the JavaScript code, it was easy to see what the code does. Figure 1 is a code snippet that shows the key functions of that JavaScript code being used.

It downloads a file from the URL "hxxp[:]//www[.]chmsc[.]edu[.]ph/library/modules/down/op57.lts", which is actually a ZIP file containing three files. It then gets decompressed into a newly-created random string folder (in this case, “RrRbiebL”) under “C:”. Also, the three decompressed files are renamed with random strings, which in this analysis were “cMejBlQe.exe”, “M6WnYxAh” and “YvSVUyps.dll”.  Figure 2 shows the folder information.

These three files are executed in the command line: "C:RrRbiebLcMejBlQe.exe   C:RrRbiebLM6WnYxAh C:RrRbiebLYvSVUyps.dll”. You may have noticed in Figure 1 that it also added itself into the auto-run group in the victim’s system registry. This ensure that it runs automatically whenever the infected system starts. Figure 3 is a screenshot of the auto-run item in the system registry, whose value is just the above command line.

AutoIt Script Runs Metamorfo

“C:RrRbiebLcMejBlQe.exe” is run with the parameters “C:RrRbiebLM6WnYxAh C:RrRbiebLYvSVUyps.dll”. Through my analysis I learned that the file “cMejBlQe.exe” is an AutoIt script execution program, whose original name was “AutoIt3.exe”. The file “M6WnYxAh” is a compiled binary AutoIt script file (i.e. “.A3X” file), and “YvSVUyps.dll” includes the major body of this Metamorfo variant.

AutoIt has been observed being abused by a number of malware families for malicious purposes in the past. The reason for using AutoIt could be to bypass antivirus detection.

Decompiling the file “M6WnYxAh” reveals its source code:

It pauses 8 seconds at first. Then it loads a DLL file from the path $CMDLINE[1], which is the last parameter in the command line; i.e. “C:RrRbiebLYvSVUyps.dll”. It continues to call an export function of the DLL file named “B1OWOEFK3SBYS0ETX4XXHRNV7SZGYFTU”. After that, the infected victim machine is controlled by the DLL code.

Analysis of the Main Part of Metamorfo

Let’s now take a look at the file “YvSVUyps.dll”. From Figure 4, we can see that the DLL file is protected by the packer “VMProtect v3.00-3.3.1”. VMProtect is a very strong packer that supports dynamic code protection when the target process is running. This creates a big challenge for analysts. For example, all API addresses are hidden and are dynamically calculated before calling.

Once it ran, I dumped the restored real code from memory. By analyzing its ASM code, I also learned that it was compiled by Borland Delphi, just like the previous variant I analyzed.

Now it’s time to see what major tasks it will perform on a victim’s system.

After the code is restored by VMProtect, the FormCreate() function is called – which can be considered to be the Main() function.

It terminates running browsers, such as Microsoft IE, Mozilla Firefox, Google Chrome, Microsoft Edge and Opera, by killing the following processes: "iexplore.exe", "firefox.exe", "chrome.exe", "microsoftedge.exe", and "opera.exe". The process name strings and other most constant strings in the variant are encrypted using the same method as in the previous variant, but with different decryption keys.

This piece of ASM code shows that it calls a function to decrypt the process name strings and then calls the function _TerminateProcess() to kill all the matched processes from the process list.

It then modifies several registry key values to disable the IE browser’s functions such as auto-complete, auto-suggest, etc. The disabled keys are: "Use FormSuggest", "FormSuggest Passwords", "FormSuggest PW Ask" under the sub-key “HKCUSoftwareMicrosoftInternet ExplorerMain”, and "AutoSuggest" under the sub-key "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAutoComplete".

What is the purpose of killing the browsers and disabling their auto-complete and auto-suggest functions? This action forces the victim to hand-enter data without auto-complete, such as whole URLs, along with login-name, password, and so on in the browser. This allows the malware’s key logger function to record the largest number of actions from the victim’s input.

It also collects information such as the OS version, Computer Name, installed AV software, and so on from victim’s system. 

If it is running on an infected machine for the first time (depending on whether a flag file exists), it sends a POST packet to its command-and-control (C&C) server informing it that a machine has been infected. Figure 5 shows the details of that packet.

The URL “hxxp[:]//escapuliu[.]com/happynewyear/EYHS2BZM31D225Q.php” was previously decrypted, and the body of this packet contains the victim’s system information. Some of the values are base64 encoded. After decoding, the data looks like this: 

Timer Functions

As with the previous variant, this one also uses Timers to perform its tasks. At the end of the FormCreate() function it starts two Timers. The first Timer is used to monitor a bitcoin wallet address in the system clipboard, and the other is used to detect whether or not the victim is accessing a financial institution website. I will elaborate on both of these below.

Bitcoin Address Timer Function

This function keeps receiving data from the system clipboard and then determines if it is a valid bitcoin wallet address. If yes, it overwrites the wallet address with the attacker’s. 

Figure 6 shows the calling of the API SetClipboardData(), whose second parameter is the attacker’s wallet address ("163McXwBrc9S7JzbgegzVuw7QTJ9H1dQj7") used to replace the original one in the system clipboard. 

Usually, users copy&paste the wallet address to make a bitcoin transfer. In this variant, Metamorfo detects and overwrites the target wallet in the clipboard. In this way, it attempts to make the victim unknowingly transfer their bitcoin to the attacker’s bitcoin wallet address ("163McXwBrc9S7JzbgegzVuw7QTJ9H1dQj7").

Financial institution Timer Function

It then calls the API EnumWindows() function to enumerate all windows from the victim’s system. Its EnumFunc() callback function collects all windows titles and then adds a 14H long random string prefix. One mixed windows title looks like this:  “{14H long random string}+windows title”. All the mixed windows titles are added into a string list box control. It can also collect the page title of an online banking website that the victim may access in a browser.

In the timer function, it then reads out the mixed windows titles from the string list box control, one by one, to perform string matching against keywords from the targeted financial institutions. There are 32 such keywords that are used to enable matching with more than twenty financial institutions in multiple countries, including the US, Canada, Peru, Chile, Spain, Brazil, Ecuador, Mexico, and others. For safety reasons, I will not mention the specified keywords or the names of the financial institutions being targeted by this malware in this post.

Once a window title matches one of the keywords of a targeted financial institution, it connects to the C&C server, whose host is different from the one mentioned earlier.

Below is a code snippet that decrypts the C&C server host string and port number, which are “ssl[.]teamo[.]life” and “8350”.

Command and Control with C&C Server 

When a connection is established with the C&C Server, it sends the command “<|QFUNHSNXU|>” to the server and waits for control commands to come back to execute further functions on the victim’s system.

Following is an example communication between Metamorfo and its C&C server. 

Metamorfo sent “<|QFUNHSNXU|>” to the server, and then received the control command “<|PT|>” back from the server and executed the code for this command. As you can see, it then sent the response packet “<|tksN|>”, which contains the Metamorfo version, system version, platform information, the victim’s computer name, any installed AV software, the identifier string of the matched financial institution name (“L4N4c10n”), and so on. 

NOTE: in a packet, the symbol “<|>” is kind of a delimiter, while “<<|” is an end symbol.

As with the previous variant, this Metamorfo client uses the SocketRead() function to receive and process the control commands from the C&C server for this socket. 

This Metamorfo variant supports 119 control commands in total. Here they are:

"<|YuiqkwSgot|>", "<|PT|>", "<|VOTM|>", "<|Gpsxi|>", "<|ZKXAKYWQKEHUGZJ|>", "<|lozyw|>", "<|SuaykRJ|>", "<|SuaykJI|>", "<|ztUjzwtR|>", "<|IXjzwtR|>", "<|Folder|>", "<|Files|>", "<|DownloadFile|>", "<|UploadFile|>", "dkxqdpdv", "fuobhjh", "pyfsqtpofn", "camarinho", "beijada", "cidadao", "dlulztody", "janainaa", "nnnaewhwf23nvcxx", "vanuza", "vanessa", "carmena", "petereca", "jpevtpjevtjte", "djqduidxorv", "dulhkqzprf", "vaidamole", "vadiadaum", "lzyxyzoxzdy", "baraomagao", "IbqJxbxma", "Lmatqo", "puplY", "hajluvjlY", "wlylajhyhJ", "gsxuymrle", "sjemwbgonehjexhjjexhjxh", "phjdqdfdv", "madona", "LkingWajuGhkzwu", "vkbAlcvtlY", "JtxyXLWA", "urpdzchlrdi", "JXyhylipS", "ndsoiu43098s", "snis4duo3098", "ki74yfhsag", "KxvoJJ", "Bwilmakx", "semvergonha", "mh42jkrxc3", "BwiAivbi", "vBiAiiwbwew", "Bwiqbi", "kdaf4w84fds", "iru4837fbcz", "apqi398wjx", "Bwiaqk", "mfklsjfk3049jsfd", "Bwikmn", "vpupqbd", "ulrvAkhyI", "posseco", "jpwhslAzvsI", "ihAhaP", "dsefsdfds342342", "massonaria", "kldiu4324987dyyds", "iejdskdjkfl3426232hdshdhs", "maconha", "cnirhx87ds", "b9f8vnh3f7dhvsja4", "ihAwpMhauhW", "nhfjds98743hvfavb", "mfki73t1dav", "fodiufjdo834yfdgf", "f9ksa8iuvdo", "miwey82fqq", "oropeiru23", "kmcjds09498", "ewaewqrtrrmwoa", "m94ufasjczbal", "ulzcecrvAkhocpgyI", "hslfasreweyI", "perebao", "japones3fadhh", "uhkozphslAzvsI", "HruxWkrgHHMqgbkgs", "kxsHqddeuMHgHrbgrWgk", "bisurdor", "curvaduru", "vvjpwulw", "bosteiro", "lkfjasofu4343849", "fkvoiudas98", "coichzbz", "b98djzc", "klfjs943jfs", "eaqeutmn5r", "cracreuz", "guilhermina", "ztchrhAhaP", "IIzvsI", "HAPzvsI", "juventude", "HAUHWzvsI", "KHYIzvsI", "jpwzvsI", "mljzvsI", "hruxyoiu", "COZUMEL", "COZUMARIA", "LMAimwc", "baci83427daca", "daa243bi78acc".

The following table lists most of the control commands for the main socket, along with their descriptions. From it you are able to discover what actions Metamorfo variant can perform on a victim’s machine.

Here is an example of the last control command, "LMAimwc".  It closes running browsers – including “Microsoft Internet Explorer”, “Google Chrome”, and “Mozilla Firefox”, displays a message, and then restarts the victim’s system. Figure 7, below, shows a screenshot of the message in the Spanish language that I’ve translated it into English.

Solution

Fortinet customers are protected from this Metamorfo variant by FortiGuard’s Web Filtering, AntiVirus, and IPS services as follows:

The related URLs are rated as "Malicious Websites" by the FortiGuard Web Filtering service.

The MSI file is detected as "W32/Metamorfo" and blocked by the FortiGuard AntiVirus service.

The traffic between Metamorfo and its C&C server is detected by the FortiGuard IPS signature “Trojan.Metamorfo”.

IOCs:

URLs

hxxp[:]//escapuliu[.]com/happynewyear/EYHS2BZM31D225Q.php

hxxp[:]//www[.]chmsc[.]edu[.]ph/library/modules/down/op57.lts

Sample SHA-256

[view-(AVISO)2020.msi]

EB1E5EAEA4ECC04B920BBD955C16B17F3D5AC3C580EA266FF5B9D589B8B49E0C

Learn how FortiGuard Labs provides unmatched security and intelligence services using integrated AI systems. 

Find out about the FortiGuard Security Services portfolio and sign up for our weekly FortiGuard Threat Brief.  

Discover how the FortiGuard Security Rating Service provides security audits and best practices to guide customers in designing, implementing, and maintaining the security posture best suited for their organization.