Deep Analysis of New Metamorfo Variant Targeting Customers of Brazilian Financial Organizations

A FortiGuard Labs Threat Analysis Report

FortiGuard Labs recently captured a suspicious sample from a phishing email. After a quick analysis, I determined that this was a new variant of the Metamorfo malware, which was known for collecting data from the customers of Brazilian financial organizations.

In this analysis, I will elaborate what this new variant of Metamorfo does and what data it collects from a victim’s machine, as well as how it communicates with its command and control (C&C) server.

Spreading in a Phishing Email

The email content was in Portuguese, which is the official language of Brazil. The email content is translated into English in Figure 1. It was disguised as a notice asking the victim to download an Electronic Invoice (NF). When moving a mouse over the blue download button, the file download URL is shown in the status bar.

The downloaded file was not an electronic invoice, but a ZIP file with the MSI file name “XlsPlan_Visualize.msi”.

As we know, an MSI file is an installer package file used for the installation, storage, and removal of programs by Windows OS. However, MSI file is not an executable file like an EXE file, whose content is saved in OLE document format. Instead, double clicking on any MSI file causes the Windows system to call MsiExec.exe to process it.

Executing VBS code to download another MSI

There were forty-eight streams (similar to files) inside this “XlsPlan_Visualize.msi” file. Figure 2 shows a part of those streams. However, this MSI file is not the final malware body, but simply a malware downloader. Let’s go inside the file to see how it works.

The “!_StringData” stream contains a piece of VBS code that is executed by MsiExec.exe to download another malicious file. This code was mixed with a lot of garbage strings, as you can see in Figure 3. 

The highlighted section is part of the VBS code, which has been extracted and listed below:

Going through this VBS code we learn that it downloads the “img.zip” file from the url “hxxps[:]//raw[.]githubusercontent[.]com/edx23/X435/master/img.zip”, calls the unzip() function to decompress the file into the folder located at “%Public%DownloadsKJFLDKRE”, and then renames the file as “KJFLDKRE.msi”. Finally, it executes this file with the parameter “/quiet”. The “/quiet” parameter has the process run in the background with no user interface, so the victim doesn’t notice it.

Basic Information on KJFLDKRE.msi

“KJFLDKRE.msi” contains an EXE file split into several parts, each of which is known as a stream. Figure 4 is a screenshot of the content of “KJFLDKRE.msi”. As you can see, the sections in the PE structure were split into several streams, such as “CODE”, “DATA”, and so on.

When this MSI file runs in MsiExec.exe, the PE file (EXE file) is restored into C:WindowsInstallar and then executed. The filename is not fixed. In this case, it is “MSIA1F6.tmp”. Using an analysis tool, I determined that the file was written in Delphi. Figure 5 below shows more detailed information of this “MSIAIF6.tmp” file.

Dissecting KJFLDKRE.msi

“KJFLDKRE.msi” is the real Metamorfo malware, and as mentioned earlier, it runs in the background. In fact, “MSIA1F6.tmp” is extracted from “KJFLDKRE.msi” and executed in a child process of MsiExec.exe. All tasks of the new variant of Metamorfo are performed by “MSIA1F6.tmp” and the following analysis is based on that.

I will now show you how it functions inside a victim’s machine in the remaining sections:

Timer3 Timer Function

“MSIA1F6.tmp” uses several Timers to finish its work. It first starts a Timer named Timer3, which is triggered once each 500 MS.

In its timer function, it collects the victim’s system information, such as the Windows version, Login user name, and so on. It then adds an auto-run program inside victim’s system registry, so that it runs when the system starts. The top of Figure 6 shows that it has been added into the auto-run group in the system registry of my test machine, and below that is where the “KJFLDKRE.msi” file is located.

To prevent the victim from noticing any exception on the process list, it terminates the MsiExec.exe process. It looks for the MsiExec.exe process in the running process list by its name and then it calls TerminateProcess() to kill the process. It needs at least four MsiExec.exe processes to finally execute “MSIA1F6.tmp”.

Figure 7 is a code snippet used to kill four “msiexec.exe” processes.

As you may have noticed, the process name “msiexec.exe” is decrypted. Besides this, it contains another nearly 2,000 encrypted strings in the process, which creates a serious challenge for an analyst trying to understand its code.

It then kills Timer3 and starts Timer1.

Timer1 Timer Function

Timer1’s interval is set the same as Timer3’s, which is 500 MS.

The major task of this timer function is to find the most interesting Apps or web pages based on the victim’s behaviors.

It obtains the window title of the topmost program the victim is using at each 500 MS interval, calls the APIs GetForegroundWindow() and GetWindowTextA(), and then performs a string match to determine if that program is the one that it wants to collect information from.

During my analysis, I was able to determine that the targets are all Brazilian financial organizations. Next, I will elaborate all of the ways that Metamorfo determines if those programs are running.

APPs (installed clients):

It detects three installed finance applications by calling the API FindWindowA(), with the Windows class for each one.

Here is an example code showing how it finds one application by calling FindWindowA("SunAwtFrame", 0).

Web Pages:

When the victim opens the web page of an online bank, the web page title will include the bank name information. Metamorfo uses string matching to determine if the victim is working on a financial web page using a variety of institution names and acronyms.

Below is a code snippet of how Metamorfo performs a string match:

As mentioned before, those matching strings are encrypted, but they are decrypted before being used in string_match(). Once any of the strings is matched, Metamorfo records the financial organization’s name in a global variable and it then connects to its C&C server to tell what was triggered and to receive command and control commands. If none of string matches is triggered, Metamorfo does nothing, but keeps checking with Timer1 every 500 MS.

Host and Port of C&C Server

To increase the difficulty of being blocked, the host of C&C server is generated dynamically in a special way, which keeps the host string mutative each time. There is a function which is in charge of this task.

Here is an example of a host string: “ssqld12g1744gu.dynu.com”. The last part, “.dynu.com”, is fixed. The first part is a combination that consists of three parts, which are “ssq1d”, “12” and “g17744gu”. “12” is the number of the current month, for instance: “12” for Dec, “01” for Jan, “02” for Feb and so on. The other two substrings are constant strings. There are a total of 620 constant strings that can generate 620 host strings, which are split into 31 groups, one for every day of the month. Each group then has 20 strings for each day, and the function randomly picks one of these.

All of these constant strings are encrypted, and are only decrypted just before using.

From Figure 8, you can see the decrypted host strings for December. There are 31 lines, one for each day, and 20 on each line, each separated by a comma. For other months it changes the “12” in the middle to the corresponding month number.

Using the same model, it has 310 ports, or 10 ports for each day. There is a separate function for randomly picking up a port from the 10 ports assigned to the day number (1-31). Figure 9 shows the detail for those decrypted ports.

Command and Control with C&C Server

On my test machine, I opened the web page of a listed Brazilian financial organization to trigger a string match in Timer1. It then connected to the C&C server and relayed the information that a financial organization connection had been detected. I captured that encrypted communication traffic and decrypted it. The results are listed below:

When the connection is established, it sends “[<<MANDASOCKET>>]” first, and the server replies “<|OK|>”, which asks for the information about what happened on the victim’s device. An “<|Info|>” packet is then sent out containing the port number (8974), "Bank Name" is the name of the financial organization, the victim’s computer name (****-PC), client version (V.8), as well as victim’s OS name (Windows 7 Ultimate). NOTE: “<|>” is kind of a delimiter, while “<<|” is an end symbol.

In the Metamorfo client there is a function called Conn1Read(), a function of the Conn1 socket which processes the control commands from the C&C server for this main socket. Figure 10 is a screenshot of when Metamorfo is about to encrypt the <|Info|> packet in a debugger.

As you can see from the traffic above, there are many other commands, like "[-PING-]", "[-PONG-]", "[-VIDEO-]" and so on. Going through the function Conn1Read(), I obtained all of the control commands and the purpose of each command.

The following table lists most of the control commands for the main socket and their descriptions.    

Conn2Read() is a function of the Conn2 socket to receive and process the command and control commands from the C&C server. Conn2 socket starts when received the command “[-VIDEO-]” in Conn1Read(). The table below shows its commands and descriptions:

Solution

If you are a customer of a targeted Brazilian financial organization and you never run their applications or open one of their web pages on an infected computer, this variant of Metamorfo will not collect information.

The two downloaded URLs are rated as “Malicious Websites“ by the FortiGuard Web Filtering service.

Both of the MSI files are detected and blocked by the FortiGuard Antivirus service.

IOCs:

URLs

hxxps[:]//is[.]gd/vphbra?YTOMHZO3IYSYBGB86SYFIT/862023/YTOMHZO3IYSYBGB86SYFIT

hxxps[:]//raw[.]githubusercontent[.]com/edx23/X435/master/img.zip

Sample SHA-256

[XlsPlan_Visualize.msi]

631F6664876C1BD02BE60A8AF9A44030307E0FFA2C1239A95559559EDD0481D3

[img.jpg or KJFLDKRE.msi]

1A37AC4498AE3071DE271970E992968505BE95177FBB5BE2A3DA33A3A1514CEC

Learn how FortiGuard Labs provides unmatched security and intelligence services using integrated AI systems. 

Find out about the FortiGuard Security Services portfolio and sign up for our weekly FortiGuard Threat Brief. 

Discover how the FortiGuard Security Rating Service provides security audits and best practices to guide customers in designing, implementing, and maintaining the security posture best suited for their organization.