threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/metamorfo-banking-trojan-autohotkey/164735/
Submission: On March 15 via api from US
Submission: On March 15 via api from US
Form analysis 4 forms found in the DOM
POST /metamorfo-banking-trojan-autohotkey/164735/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/metamorfo-banking-trojan-autohotkey/164735/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_9"></label>
<div id="input_5_9" class="ginput_container ginput_recaptcha" data-sitekey="6LehhAETAAAAAAcsm2ZGDsLCqyGhesy4Yn43WNBe" data-theme="light" data-tabindex="0" data-badge="">
<div style="width: 304px; height: 78px;">
<div><iframe
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LehhAETAAAAAAcsm2ZGDsLCqyGhesy4Yn43WNBe&co=aHR0cHM6Ly90aHJlYXRwb3N0LmNvbTo0NDM.&hl=en&v=a7xT2d71Jli62wQMfeUUrLcO&theme=light&size=normal&cb=i74ngay96e5k"
width="304" height="78" role="presentation" name="a-ds6xgd7q4v9q" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"></iframe></div><textarea id="g-recaptcha-response-1" name="g-recaptcha-response"
class="g-recaptcha-response" style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
</li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Comments</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
<div class="o-col-12@md">
<div class="c-form-element c-checkbox-wrapper"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"><label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the
next time I comment.</label></div>
</div>
</div>
<p class="comment-form-checkbox c-form-element c-checkbox-wrapper"><input type="checkbox" value="1" name="subscribe" id="subscribe"><label for="subscribe">Notify me when new comments are added.</label></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="164735" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="cb3e3dc718"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="Ugm9GC0bgJsHor0TXHfHn4ch4" name="cWl3o1TvKaiEXEJnKHTHyiX5r">
<div class="g-recaptcha" data-sitekey="6Lfgf_8SAAAAADYbQAnKFOk7cvnWbkqo6y57-4-U" data-theme="standard">
<div style="width: 304px; height: 78px;">
<div><iframe
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lfgf_8SAAAAADYbQAnKFOk7cvnWbkqo6y57-4-U&co=aHR0cHM6Ly90aHJlYXRwb3N0LmNvbTo0NDM.&hl=en&v=a7xT2d71Jli62wQMfeUUrLcO&theme=standard&size=normal&cb=6s0c9pxkkpdw"
width="304" height="78" role="presentation" name="a-q95qtgz5rbrr" frameborder="0" scrolling="no" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"></iframe>
</div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
<script type="text/javascript" src="https://www.google.com/recaptcha/api.js?hl=en"></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p style="display: none;"></p><input type="hidden" id="ak_js" name="ak_js" value="1615824069493">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Comments
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Cloud Security
* Malware
* Vulnerabilities
* InfoSec Insiders
* Podcasts
*
*
*
*
*
*
*
Search
* Microsoft Exchange Exploits Pave a Ransomware PathPrevious article
* Europol Credits Sweeping Arrests to Cracked Sky ECC Comms Next article
METAMORFO BANKING TROJAN ABUSES AUTOHOTKEY TO AVOID DETECTION
Author: Tara Seals
March 12, 2021 12:21 pm
3 minute read
Write a comment
Share this article:
0
0
1
0
*
*
A legitimate binary for creating shortcut keys in Windows is being used to help
the malware sneak past defenses, in a rash of new campaigns.
The Metamorfo banking trojan is abusing AutoHotKey (AHK) and the AHK compiler to
evade detection and steal users’ information, researchers have warned.
AHK is a scripting language for Windows originally developed to create keyboard
shortcuts (i.e., hot keys).
According to the Cofense Phishing Defense Center (PDC), the malware (a.k.a.
Mekotio) is targeting Spanish-language users using two separate emails as an
initial infection vector. One is a purported request to download a
password-protected file; and the other is an elaborate spoofed notification
about pending legal documents, with a link that downloads a .ZIP file.
METAMORFO ABUSING AHK
In both cases, the malicious code is contained in a .ZIP file that’s ultimately
downloaded to victim computers. It contains three files: the legitimate AHK
compiler executable (.EXE), a malicious AHK script (.AHK) and the banking trojan
itself (.DLL). These are unpacked into a randomly named file housed in
C:\\ProgramData.
A script will then run the AHK compiler, the AHK compiler will execute the AHK
script, and the AHK script will finally load Metamorfo into the AHK compiler
memory.
“[Metamorfo] will then operate from within the AHK compiler process, using the
signed binary as a front to make detection more difficult for endpoint
solutions,” researchers explained, in a posting on Thursday.
For persistence, copies of all three files are also placed in a new folder.
“It will then use a run key to initiate the execution chain every time the
system restarts by executing the renamed copy of the AHK compiler,” according to
the report.
METAMORFO RESURGENCE IN LATAM, EUROPE
Metamorfo started life as a Latin American banking trojan, first discovered in
April 2018, in various campaigns that share key commonalities (like the use of
“spray-and-pray” spam tactics). Its campaigns however have small, “morphing”
differences — which is the meaning behind its name.
A variant that emerged in February 2020, for instance, kills the auto-suggest
data entry fields in browsers, forcing victims to write out their passwords –
which it then tracks via a keylogger.
That trick is also present in the latest attacks, according to the PDC, with
cybercrooks targeting customers of banks in Latin America and Europe (including
France, Portugal and Spain).
Metamorfo monitors browser activity looking for targeted banks, which are listed
in the form of strings in the AHK compiler process memory, researchers
explained. When a victim opens one of the targeted banking pages, Metamorfo
overlays it with a fake version of the webpage designed to harvest credentials.
“[Metamorfo] disables specific registry browser values associated with password
and form suggestions and autocompletion,” researchers said. “This forces the
user to type in sensitive information, even if they have it saved in their
browser history, allowing the malware to capture credentials with its keylogging
capabilities.”
This version of the trojan can also monitor Bitcoin addresses copied to a
clipboard and replace them with one belonging to the attackers.
“As of this writing, this specific attacker address had a balance of 0.01957271
BTC, approximately $800,” researchers said.
METAMORFO’S BANKING TROJAN INFECTION ROUTINE
The PDC encountered two main mechanisms for delivering the payload in these
campaigns.
In the first instance, there is a .ZIP file containing an MSI file that includes
a malicious domain harboring 32 and 64-bit versions of a second .ZIP file; and
in the second scenario the original .ZIP file drops a shortcut file containing a
malicious Finger command. Finger.exe is a native Windows command that allows the
retrieval of information about a remote user.
“The Custom Actions table of these MSI files enables the incorporation of custom
code to the installation package and is often abused by attackers,” said the
researchers. “[The table] shows an action titled ‘dqidwlCTIewiuap’ containing
obfuscated JavaScript. The JavaScript is responsible for downloading the correct
version of the .ZIP file from the payload site, unzipping its contents, renaming
and placing it into a new randomly named folder.”
In the second instance, a command is used to contact a server, which displays
the contents of a hosted file in a command shell. The file in question is a
PowerShell script that will run in this shell.
“The script carries out similar actions to the MSI: it downloads a ZIP file,
renames it, copies it to a newly created folder and unzips it there,”
researchers explained. “The PDC also saw both tactics combined in at least one
case, by incorporating the malicious Finger command directly into the MSI Custom
Actions table.”
Users can protect themselves by being wary of what files they download and also
by checking their machines for random new file folders in the Windows Program
Data directory.
“The main takeaway is that legitimate binaries can be leveraged as a façade for
malicious activity,” researchers concluded. “Vigilance is key. If a file or
process is not meant to be there, it’s best to check.”
Check out our free upcoming live webinar events – unique, dynamic discussions
with cybersecurity experts and the Threatpost community:
* March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more
and register!)
* April 21: Underground Markets: A Tour of the Dark Economy (Learn more and
register!)
Write a comment
Share this article:
0
0
1
0
* Malware
* Web Security
SUGGESTED ARTICLES
REVIL GROUP CLAIMS SLEW OF RANSOMWARE ATTACKS
The threat group behind the Sodinokibi ransomware claimed to have recently
compromised nine organizations.
March 12, 2021
MICROSOFT EXCHANGE EXPLOITS PAVE A RANSOMWARE PATH
As attacks double every hour, hackers are exploiting vulnerable Microsoft
Exchange servers and installing a new family of ransomware called DearCry.
March 12, 2021
MOLSON COORS CRACKS OPEN A CYBERATTACK INVESTIGATION
The multinational brewing company did not say what type of incident caused a
‘systems outage,’ but it’s investigating and working to get networks back
online.
March 12, 2021
1
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
Save my name, email, and website in this browser for the next time I comment.
Notify me when new comments are added.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* TAKING A NEIGHBORHOOD WATCH APPROACH TO RETAIL CYBERSECURITY
December 30, 2020
* 6 QUESTIONS ATTACKERS ASK BEFORE CHOOSING AN ASSET TO EXPLOIT
December 29, 2020
1
* THIRD-PARTY APIS: HOW TO PREVENT ENUMERATION ATTACKS
December 23, 2020
* DEFENDING AGAINST STATE AND STATE-SPONSORED THREAT ACTORS
December 21, 2020
1
* HOW TO INCREASE YOUR SECURITY POSTURE WITH FEWER RESOURCES
December 17, 2020
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
Critical #security flaws in Schneider Electric smart meters could allow
attackers to reboot the meter and cause a d… https://t.co/wWgpBSHSru
3 hours ago
Follow @threatpost
NEXT 00:02 13:47 360p 720p HD 1080p HD Auto (360p) About Connatix V108154 Closed
Caption About Connatix V108154 Visit Advertiser website GO TO PAGE Skip 1/1
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2021 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Lindsey O'Donnell
* Tara Seals
* Tom Spring
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* HackerOne Spotlight
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE