The Metamorfo Banking Trojan Disables Auto-Complete to Record the Passwords You Type In

While other threats have come and gone throughout the years, banking trojans have remained a firm favorite with cybercriminals, and although some of the strains like Ursnif have established a reputation for efficient data exfiltration, the crooks are still willing to give new entrants a go. Metamorfo is one of the more recent arrivals on the banking malware scene, and it looks like it might be gaining the hackers' approval fairly quickly.

Researchers from Fortinet first wrote about Metamorfo in January when the malware was aimed exclusively at users in Brazil. Last week, however, the experts said that they've seen a new variant distributed in "multiple" countries. They preferred not to publish a list of targeted financial institutions, but their report suggests that most of the targets are situated in North and South America.

A fairly traditional infection chain

There's nothing particularly newsworthy about the way Metamorfo infects a victim's computer. The crooks use social engineering to trick users into opening a ZIP file attached to an unsolicited email. Inside it, there's a Windows Installer which downloads a few files from a hacker-controlled server and installs the trojan. The files are dumped in a randomly named folder on the system drive, and persistence is achieved with the help of a modification of Windows' registry.

Before the malicious operation begins, Metamorfo contacts its Command&Control server (C&C) and sends information about the infected host, including the computer name, the version of the operating system, and a list of installed security products. So far, so conventional, but the next steps show that Metamorfo is far from a simple rewrite of a traditional banking trojan.

Metamorfo is after both real and crypto money

It looks like Metamorfo's operators aren't satisfied with stealing victims' banking credentials only. Once it's installed, the malware activates a clipboard monitoring functionality, which scans through every bit of data that the user copies. If it detects an alphanumeric string that looks like a bitcoin address, it swaps it for the address of the attacker's wallet while it's still in the clipboard.

Wallet addresses are between 26 and 35 characters long, which means that most people usually copy the address when they want to make a bitcoin transaction. Metamorfo's developers are hoping that users won't notice that the string has been changed and would inadvertently send the digital coins to the crooks' wallet. When it comes to the theft of online banking passwords, the strategy is just as well thought out.

A disabled auto-complete function and a simple keylogger result in stolen passwords

You know that when you start typing a URL in your address bar, modern browsers give you suggestions found in your browsing history. For many, going to their online banking platform means typing a couple of letters in the address bar and hitting Enter. Modern browsers also offer password management functionality, which means that once they're on the bank's website, users who have saved their credentials with their browsers just pick the right suggestion, and their username and passwords are filled in automatically. If their computers are infected with Metamorfo, this won't happen.

After it establishes a foothold on a host, Metamorfo makes a few changes to the registry, which disable the auto-fill functionality of most modern browsers. As a result, users need to enter the full URL of their banking website (if they haven't saved it as a bookmark), and they also need to manually type their username and password. While they are doing that, Metamorfo records the login data with the help of a keylogger component and sends it to the crooks' C&C.

A clever banking trojan that has a few other aces up its sleeve

From a technical perspective, this method is a lot simpler than the more traditional mechanisms for extracting login information, but it could be just as effective. Indeed, the users will likely notice that their browser's auto-complete functionality doesn't work, but they'll probably assume that this is a temporary glitch and will enter their details by hand. The workings of the bitcoin-redirection scam are just as straightforward. This doesn't mean that the overall level of sophistication is low, though.

Fortinet's researchers said that Metamorfo is capable of executing a total of 119 commands, which include shutting down and rebooting the computer, moving the mouse cursor, and displaying fake error messages. In other words, Metamorfo is an extremely versatile banking trojan with functionality that extends far beyond simply stealing login credentials and redirecting bitcoins. It might be new, but it's definitely not to be sniffed at.