2 min read

Banking Trojan Metamorfo Hijacks Trusted Apps to Run Malware

Bogdan BOTEZATU

June 04, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Banking Trojan Metamorfo Hijacks Trusted Apps to Run Malware

Bitdefender researchers Janos Gergo SZELES and Ruben Andrei CONDOR have documented a new Metamorfo campaign that uses legitimate software components to compromise computers.

Metamorfo is a family of banker Trojans that has been active since mid-2018. It primarily targets Brazilians and is delivered mostly through Office files rigged with macros in spam attachments. Metamorfo is a potent piece of malware, whose primary capability is theft of banking information and other personal data from the user and exfiltration of it to the C2 server.

What is new this time?

Metamorfo currently uses an extremely effective technique called DLL hijacking to conceal its presence on the system and elevate its privileges on the target computer. We also noticed that the malware tries to download other files from the C2 server, suggesting that it could download an updated version of itself with an extended command set as well.

A primer on DLL hijacking

DLL hijacking is a technique that allows an adversary to force an application to run third-party code by simply swapping a code library with a malicious one, or dropping a malicious library on the search path. This means that, if an attacker can get a file onto a victim’s machine, that file could be executed when the user runs a legitimate application that’s vulnerable to DLL Hijacking. In real life attacks, hackers get vulnerable, legitimate applications and put them next to a DLL file that the respective application would naturally load. They substitute that legitimate DLL with a DLL holding the malicious code, so the application loads and executes the hacker’s code instead.

While monitoring the Metamorfo campaign, we saw the attack abuse 5 different software components manufactured by respected software vendors. They come from Avira, AVG and Avast, Damon Tools, Steam and NVIDIA. Some components in these products load DLL files without ensuring that the files loaded are legitimate. This way, the malicious code is loaded and executed by a trustworthy process, so users will suspect nothing if they ever bring up Task Manager. Additionally, some security solutions will fail to detect malicious code or block communication at the firewall level, as the initiating process is likely whitelisted as trustworthy.

Why is this important?

Legitimate applications are usually digitally signed with an Authenticode (code-signing) certificate. This is considered a token of trust, as an Authenticode-signed executable file looks less alarming to users when requesting elevated privileges. Subsequently, if the User Account Control (UAC) prompts users that their trusted anti-virus vendor wants to make changes to the system, they likely won’t question it. Organizations sometimes (mis)configure their intrusion detection system to allow digitally signed applications to run undisturbed, ignoring their malicious behavior. Some antimalware solutions likely won’t scan the EXE since it’s presumed to originate from a trustworthy source.

For the full report and the complete analysis of the analyzed components, please check the research paper below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be downloaded here.

Download the whitepaper

tags


Author



Right now

Top posts

Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

November 08, 2021

2 min read
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

September 16, 2021

2 min read
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Under Siege for Months: the Anatomy of an Industrial Espionage Operation Under Siege for Months: the Anatomy of an Industrial Espionage Operation
Alexandru MAXIMCIUCVictor VRABIE
1 min read
New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike
Filip TRUȚĂRăzvan GOSAAdrian Mihai GOZOB
4 min read
New FluBot and TeaBot Global Malware Campaigns Discovered New FluBot and TeaBot Global Malware Campaigns Discovered
Bitdefender

January 26, 2022

10 min read