Metamorfo Banking Malware Hides By Abusing Avast Executable (Jul 16, 2019)
enSilo Threat Intelligence researchers observed malicious activity in May 2019 conducted by a Brazilian threat group distributing the banking trojan “Metamorfo.” Researchers discovered variants of the trojan that abuse an executable digitally signed by Avast, which is a well-known antivirus products company. The downloader starts by checking if the system is running in a virtual machine. If not, downloads a zip file, unzips it, deletes itself, establishes persistency, and restarts the system. Like samples from previous campaigns, Metamorfo displays fake forms on targeted banking sites to steal credentials from the victims.
Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Bank accounts and credit card numbers should be protected with the utmost care, and only used with vendors that you trust to keep your information in compliance with the relevant standards. Regular monitoring of financial accounts in addition to identity protection and fraud prevention services can assist in identifying potential theft of data.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.