Rewterz Threat Alert – Metamorfo Returns with Keylogger Trick Targeting Financial Firms

Severity

Medium

Analysis Summary

Financial malware Metamorfo is back with a new variant with added technique of forcing victims to retype passwords into their systems which it tracks via a keylogger. Researchers found a new spate of phishing emails targeting users and distributing new variant of Metamorfo malware. Metamorfo was seen targeting Brazilian financial firms and now it’s expanding it’s geographic range.

This newest variant, which targets payment-card data and credentials at financial institutions with Windows platforms, packs a new trick up its sleeve. Once executed, the malware kills the auto-suggest data entry fields in browsers, forcing victims to write out their passwords – which it then tracks via a keylogger.

The infection is caused through a phishing emails and that distribute a ZIP archive containing an MSI file (named “view-(AVISO)2020.msi”). Researchers inspected this MSI file’s stream (a sequence of bytes written to files, giving more information about their attributes) and found JavaScript code mixed in with a wide swath of garbage strings.

Impact

• Information theft
• Financial loss

Indicators of Compromise

File name

view-(AVISO)2020.msi

Remediation

• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.