2 min read

Banking Trojan Metamorfo Hijacks Trusted Apps to Run Malware

Bogdan BOTEZATU

June 04, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Banking Trojan Metamorfo Hijacks Trusted Apps to Run Malware

Bitdefender researchers Janos Gergo SZELES and Ruben Andrei CONDOR have documented a new Metamorfo campaign that uses legitimate software components to compromise computers.

Metamorfo is a family of banker Trojans that has been active since mid-2018. It primarily targets Brazilians and is delivered mostly through Office files rigged with macros in spam attachments. Metamorfo is a potent piece of malware, whose primary capability is theft of banking information and other personal data from the user and exfiltration of it to the C2 server.

What is new this time?

Metamorfo currently uses an extremely effective technique called DLL hijacking to conceal its presence on the system and elevate its privileges on the target computer. We also noticed that the malware tries to download other files from the C2 server, suggesting that it could download an updated version of itself with an extended command set as well.

A primer on DLL hijacking

DLL hijacking is a technique that allows an adversary to force an application to run third-party code by simply swapping a code library with a malicious one, or dropping a malicious library on the search path. This means that, if an attacker can get a file onto a victim’s machine, that file could be executed when the user runs a legitimate application that’s vulnerable to DLL Hijacking. In real life attacks, hackers get vulnerable, legitimate applications and put them next to a DLL file that the respective application would naturally load. They substitute that legitimate DLL with a DLL holding the malicious code, so the application loads and executes the hacker’s code instead.

While monitoring the Metamorfo campaign, we saw the attack abuse 5 different software components manufactured by respected software vendors. They come from Avira, AVG and Avast, Damon Tools, Steam and NVIDIA. Some components in these products load DLL files without ensuring that the files loaded are legitimate. This way, the malicious code is loaded and executed by a trustworthy process, so users will suspect nothing if they ever bring up Task Manager. Additionally, some security solutions will fail to detect malicious code or block communication at the firewall level, as the initiating process is likely whitelisted as trustworthy.

Why is this important?

Legitimate applications are usually digitally signed with an Authenticode (code-signing) certificate. This is considered a token of trust, as an Authenticode-signed executable file looks less alarming to users when requesting elevated privileges. Subsequently, if the User Account Control (UAC) prompts users that their trusted anti-virus vendor wants to make changes to the system, they likely won’t question it. Organizations sometimes (mis)configure their intrusion detection system to allow digitally signed applications to run undisturbed, ignoring their malicious behavior. Some antimalware solutions likely won’t scan the EXE since it’s presumed to originate from a trustworthy source.

For the full report and the complete analysis of the analyzed components, please check the research paper below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be downloaded here.

Download the whitepaper

tags


Author



Right now

Top posts

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign

How We Tracked a Threat Group Running an Active Cryptojacking Campaign

July 14, 2021

10 min read
A Note from the Bitdefender Labs Team on Ransomware and Decryptors

A Note from the Bitdefender Labs Team on Ransomware and Decryptors

May 26, 2021

2 min read
New Nebulae Backdoor Linked with the NAIKON Group

New Nebulae Backdoor Linked with the NAIKON Group

April 28, 2021

1 min read
Good riddance, GandCrab! We’re still fixing the mess you left behind.

Good riddance, GandCrab! We’re still fixing the mess you left behind.

June 17, 2019

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Digitally-Signed Rootkits
are Back – A Look at
FiveSys and Companions Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions
Bitdefender

October 20, 2021

1 min read
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
Bogdan BOTEZATUVictor VRABIE
9 min read
Debugging MosaicLoader, One Step at a Time Debugging MosaicLoader, One Step at a Time
Janos Gergo SZELESBogdan BOTEZATU
1 min read