Metamorfo Banking Trojan

The Metamorfo Banking Trojan is a spyware program that specializes in collecting banking data from Brazilian victims. While different variants of this threat exhibit various capabilities, they usually will include some combination of taking screenshots and recording typed information, such as login credentials. Traditional anti-malware products may delete a Metamorfo Banking Trojan or the other Trojans that would install it (usually, through spam e-mails) safely.

The Persistent War of Trojans against Brazilian Banking

Brazilian banking customers are recurring targets for threat actors wanting to make money by collecting it from accounts directly, instead of creating a cryptocurrency miner or using a convoluted file-ransoming strategy. However, the increase of security countermeasures against such campaigns also requires that criminals put in more work than in the past for a banking Trojan's success. The series of Metamorfo Banking Trojan campaigns operative currently shows some of the exploits in vogue.

Most versions of the Metamorfo Banking Trojan install themselves through spamming e-mail campaigns that deliver damaged ZIP archives or links to them in attachments. Public cloud-hosting services, such as Google, are in high use with such attacks, which may aid the Trojan dropper's disguise by making it look harmless. Afterward, the Metamorfo Banking Trojan may gain system persistence through what malware experts are noting as standard Windows Registry exploits.

Two variants of the Metamorfo Banking Trojan are showing different methods of collecting data from the PCs that they infect. However, both versions target Brazilian Web banking traffic, exclusively. The different payloads are as follows:

• The first Metamorfo Banking Trojan monitors the browser for loading any Web addresses associated with either Brazilian banks or cryptocurrency wallet management. Any visits to these sites trigger the Metamorfo Banking Trojan's use of continuous JPG screenshots, which it can upload to a threat actor's remote server.
• Although the second Metamorfo Banking Trojan uses a similar, URL-monitoring condition, it doesn't capture images of the screen. This variant may intercept confidential browsing information from the victim's network traffic, record typed information with a keylogging feature, display fake Web forms (for gathering more data), and hiding its attacks behind imitations of Windows Update screens.

Taking the Danger Out of Checking Your E-mail

Although the infection vectors at play are unsafe to individual PC users equally, malware researchers are finding most Metamorfo Banking Trojan incidents are attacking network-accessible business systems. Most spam e-mail messages for these campaigns are maintaining invoice-themed disguises, although other themes, such as delivery or fax notifications, also could be in use. The recurring use of compressible archive formats for the Trojan droppers also serves as a way of obscuring the threat's identity from some security solutions.

Since these infection methods need the consent of the victim, all users can protect themselves from these attacks by avoiding opening suspicious attachments. ZIP files, Word documents, and PDF documents are some of the most currently popular formats for these threats, whose payloads drop spyware that will not create many symptoms while they're exfiltrating personal information necessarily. Since these threats modify the Windows components and include intentionally disguised files, any infected PCs should have the removal of the Metamorfo Banking Trojan left to appropriate anti-malware software.

'Follow the money' is an adage that's as relevant for the threatening software industry as it is to anything else. As long as Brazil has significant banking activity or even cryptocurrency proponents, campaigns like the Metamorfo Banking Trojan will persist as ongoing hazards to careless PC users.