New trojan forces manual password entry

News by Mark Mayne

New Metamorfo trojan targets 32 financial institutions and bitcoin transactions, marks escalation in ongoing campaign

A new variant of the Metamorfo trojan -- designed to steal credit card information and personal data -- disables auto-complete and auto-suggest functionality, forcing victims to manually enter their data. 

The trojan malware campaign, described by cyber-security researchers at Fortinet, starts with a phishing email claiming to contain information about an invoice, which prompts users to download and unzip a zip archive. The malware then installs itself, checks whether it is sandboxed or in a virtual environment, then runs an Autolt script execution program that often evades endpoint security tools. It then terminates any browsers, and modifies several registry key values to disable functions such as auto-complete and auto-suggest.

“This action forces the victim to hand-enter data without auto-complete, such as whole URLs, along with login-name, password, and so on in the browser. This allows the malware’s key logger function to record the largest number of actions from the victim’s input.

It also collects information such as the OS version, Computer Name, installed AV software, and so on from victim’s system”, explained Xiaopeng Zhang, security researcher at FortiGuard Labs Threat Analysis. 

The trojan also uses a timer to monitor 32 specific keywords associated with the targeted banks, ensuring that the attackers are alerted when a victim is likely to be entering target data. “There are 32 such keywords that are used to enable matching with more than twenty financial institutions in multiple countries, including the US, Canada, Peru, Chile, Spain, Brazil, Ecuador, Mexico, and others. For safety reasons, I will not mention the specified keywords or the names of the financial institutions being targeted by this malware,” continued Zhang. 

A second timer simply monitors for valid bitcoin addresses being copied to the PC’s clipboard, which are swapped for the attacker’s address ‘163McXwBrc9S7JzbgegzVuw7QTJ9H1dQj7’, which appears to have garnered 0.145 BTC at the time of writing, or just over £1,100.

"This is a particularly sly method by which the trojan captures passwords when users enter them. Something that won't raise suspicions of most people infected. Coupled with the fact that it uses antivirus evasion techniques makes it even more likely to succeed,” commented Javvad Malik, security awareness advocate at KnowBe4.  

“Therefore, the best chance lies in preventing users being infected in the first place. As this malware arrives via phishing emails, it becomes increasingly important for users to receive continuous and updated security awareness and training to spot and report phishing attacks. If users can avoid falling for phishing emails, they can protect themselves and their organisations from the majority of malware."

As far as the researchers can tell, the campaign remains active, IOC’s are as follows: 

URLs

hxxp[:]//escapuliu[.]com/happynewyear/EYHS2BZM31D225Q.php

hxxp[:]//www[.]chmsc[.]edu[.]ph/library/modules/down/op57.lts

Sample SHA-256

[view-(AVISO)2020.msi]

EB1E5EAEA4ECC04B920BBD955C16B17F3D5AC3C580EA266FF5B9D589B8B49E0C

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews