Late last year, we noticed a massive ongoing campaign of banker malware concentrated primarily in Brazil. The threat
actors behind this campaign have a predilection for defense evasion, with their signature modus operandi revolving around a technique named dynamic-link library (DLL) hijacking.
During the time we monitored the Metamorfo campaign, we’ve seen 5 different software components, manufactured
by respected software vendors, abused in the attack. This whitepaper covers the technical details of the attack and how operators abuse legitimate tools to evade detection.