Bitdefender researchers Janos Gergo SZELES and Ruben Andrei CONDOR have documented a new Metamorfo campaign that uses legitimate software components to compromise computers.
Metamorfo is a family of banker Trojans that has been active since mid-2018. It primarily targets Brazilians and is delivered mostly through Office files rigged with macros in spam attachments. Metamorfo is a potent piece of malware, whose primary capability is theft of banking information and other personal data from the user and exfiltration of it to the C2 server.
What is new this time?
Metamorfo currently uses an extremely effective technique called DLL hijacking to conceal its presence on the system and elevate its privileges on the target computer. We also noticed that the malware tries to download other files from the C2 server, suggesting that it could download an updated version of itself with an extended command set as well.
A primer on DLL hijacking
DLL hijacking is a technique that allows an adversary to force an application to run third-party code by simply swapping a code library with a malicious one, or dropping a malicious library on the search path. This means that, if an attacker can get a file onto a victim’s machine, that file could be executed when the user runs a legitimate application that’s vulnerable to DLL Hijacking. In real life attacks, hackers get vulnerable, legitimate applications and put them next to a DLL file that the respective application would naturally load. They substitute that legitimate DLL with a DLL holding the malicious code, so the application loads and executes the hacker’s code instead.
While monitoring the Metamorfo campaign, we saw the attack abuse 5 different software components manufactured by respected software vendors. They come from Avira, AVG and Avast, Damon Tools, Steam and NVIDIA. Some components in these products load DLL files without ensuring that the files loaded are legitimate. This way, the malicious code is loaded and executed by a trustworthy process, so users will suspect nothing if they ever bring up Task Manager. Additionally, some security solutions will fail to detect malicious code or block communication at the firewall level, as the initiating process is likely whitelisted as trustworthy.
Why is this important?
Legitimate applications are usually digitally signed with an Authenticode (code-signing) certificate. This is considered a token of trust, as an Authenticode-signed executable file looks less alarming to users when requesting elevated privileges. Subsequently, if the User Account Control (UAC) prompts users that their trusted anti-virus vendor wants to make changes to the system, they likely won’t question it. Organizations sometimes (mis)configure their intrusion detection system to allow digitally signed applications to run undisturbed, ignoring their malicious behavior. Some antimalware solutions likely won’t scan the EXE since it’s presumed to originate from a trustworthy source.
For the full report and the complete analysis of the analyzed components, please check the research paper below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be downloaded here.