{"id":17626,"date":"2020-02-04T06:40:06","date_gmt":"2020-02-04T14:40:06","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2020\/02\/04\/news-11361\/"},"modified":"2020-02-04T06:40:06","modified_gmt":"2020-02-04T14:40:06","slug":"news-11361","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/02\/04\/news-11361\/","title":{"rendered":"Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries"},"content":{"rendered":"
\n
<\/div>\n
\n

FortiGuard Labs<\/a>\u00a0Threat Analysis<\/p>\n

\u00a0<\/p>\n<\/p><\/div>\n

\n
\n

Affected platforms:                   Windows
Impacted parties:                       Online Financial Institutions
Impact:                                      Theft of financial information<\/span><\/p>\n

Severity level:                           High<\/span><\/p>\n<\/div><\/div>\n

\n

Metamorfo is a malware family that was observed targeting the customers of online financial institutions. Recently, FortiGuard Labs captured two different Metamorfo variants. We have already published an\u00a0analysis blog<\/a>\u00a0for the first, which only targets the customers of Brazilian financial institutions.\u00a0<\/span> <\/p>\n

This second Metamorfo variant targets the customers of even more financial institutions across multiple countries. In this post you can see how it infects the machines of its victims and what it is able to do on a victim\u2019s machine, including how it collects data and communicates with its command and control (C&C) server, as well as what C&C commands it supports.<\/p>\n

Starting from the Captured Sample\u00a0<\/h2>\n

The captured sample used in this analysis is an MSI file named \u201cview-(AVISO)2020.msi\u201d that is spread through a ZIP archive, just as with the previous variant. In the previous analysis, I showed that this MSI file is parsed and executed automatically by MsiExec.exe when a user double clicks on it in Windows OS.<\/p>\n

Analyzing this latest MSI file, I discovered that it also has a stream with the same name \u2013\u201c!_StringData\u201d \u2013 where I found a piece of JavaScript code that had been mixed in with a huge amount of garbage strings. After I extracted and de-obfuscated the JavaScript code, it was easy to see what the code does. Figure 1 is a code snippet that shows the key functions of that JavaScript code being used.<\/p>\n

\u00a0<\/p>\n<\/p><\/div>\n