Anti-Malware Research Whitepapers

Banking Trojan Metamorfo Hijacks Trusted Apps to Run Malware

Bitdefender researchers Janos Gergo SZELES and Ruben Andrei CONDOR have documented a new Metamorfo campaign that uses legitimate software components to compromise computers.

Metamorfo is a family of banker Trojans that has been active since mid-2018. It primarily targets Brazilians and is delivered mostly through Office files rigged with macros in spam attachments. Metamorfo is a potent piece of malware, whose primary capability is theft of banking information and other personal data from the user and exfiltration of it to the C2 server.

What is new this time?

Metamorfo currently uses an extremely effective technique called DLL hijacking to conceal its presence on the system and elevate its privileges on the target computer. We also noticed that the malware tries to download other files from the C2 server, suggesting that it could download an updated version of itself with an extended command set as well.

A primer on DLL hijacking

DLL hijacking is a technique that allows an adversary to force an application to run third-party code by simply swapping a code library with a malicious one, or dropping a malicious library on the search path. This means that, if an attacker can get a file onto a victim’s machine, that file could be executed when the user runs a legitimate application that’s vulnerable to DLL Hijacking. In real life attacks, hackers get vulnerable, legitimate applications and put them next to a DLL file that the respective application would naturally load. They substitute that legitimate DLL with a DLL holding the malicious code, so the application loads and executes the hacker’s code instead.

While monitoring the Metamorfo campaign, we saw the attack abuse 5 different software components manufactured by respected software vendors. They come from Avira, AVG and Avast, Damon Tools, Steam and NVIDIA. Some components in these products load DLL files without ensuring that the files loaded are legitimate. This way, the malicious code is loaded and executed by a trustworthy process, so users will suspect nothing if they ever bring up Task Manager. Additionally, some security solutions will fail to detect malicious code or block communication at the firewall level, as the initiating process is likely whitelisted as trustworthy.

Why is this important?

Legitimate applications are usually digitally signed with an Authenticode (code-signing) certificate. This is considered a token of trust, as an Authenticode-signed executable file looks less alarming to users when requesting elevated privileges. Subsequently, if the User Account Control (UAC) prompts users that their trusted anti-virus vendor wants to make changes to the system, they likely won’t question it. Organizations sometimes (mis)configure their intrusion detection system to allow digitally signed applications to run undisturbed, ignoring their malicious behavior. Some antimalware solutions likely won’t scan the EXE since it’s presumed to originate from a trustworthy source.

For the full report and the complete analysis of the analyzed components, please check the research paper below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be downloaded here.

Download the whitepaper

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as director of threat research. When he is not documenting sophisticated strains of malware or planning removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

About the author

Janos Gergo SZELES

János Gergő Széles is a senior software engineer at Bitdefender. Passionate about malware behaviour analysis, he is continuously looking for new tricks employed by malicious actors. When not glued to the computer, he likes to spend time in nature and to take care of his bonsai. He believes that with perseverance, even the most challenging riddles can be solved.

About the author

Ruben Andrei CONDOR

Ruben Andrei Condor is a young and enthusiastic security researcher at Bitdefender. Fascinated by cyber attacks, and driven by out-of-the-box thinking and creativity, he seeks to understand how malicious actors think and operate. When he's not looking for interesting malware or new attack techniques, he's probably nearby in the cool tech section. He believes that nothing is perfect, everything can be hacked - it just takes time.

Add Comment

Click here to post a comment