Metamorfo Banking Trojan spotted using Avast Utility

July 27, 2019

The SonicWall Capture Labs Threat Research Team has spotted Metamorfo malware known to distribute banking Trojans using a legitimate tool by Avast, a popular security product. The malware arrives as a seemingly harmless Adobe installer and to evade detection it uses a renamed copy of the Avast memory dumping tool to load its malicious components.

Infection cycle:

The Trojan arrives as a windows installer database, MSI file.

It uses the following file properties pretending to be an Adobe Acrobat Reader installer.

 

Upon execution, it displays a fake splash window that makes the victim believe that Adobe Reader is being installed.

This installer has an embedded objuscated javascript code that when decoded reveals its intention.

It downloads a fake image file, with a PNG extension  which is in fact a ZIP archive containing additional components.

The archive is then unpacked into the %APPDATA% directory  which contains the following files:

  • %APPDATA%/yDnKLM.exe - non-malicious renamed AVDump32.exe utility from Avast
  • %APPDATA%/yDnKLM.dmp – malicious file detected as GAV: Metamorfo.BZ_2 (Trojan)
  • %APPDATA%/dbghelp.dll – malicious file detected as GAV: Metamorfo.BZ_ (Trojan)
  • %APPDATA%/ ssleay64.dll – malicious file detected as GAV: Metamorfo.BZ_3 (Trojan)
  • %APPDATA%/borlndmm.dll – non-malicious Borland Memory Manager library
  • %APPDATA%/libeay32.dll – non-malicious OpenSSL library
  • %APPDATA%/ ssleay32.dll – non-malicious OpenSSL library

The installer will then invoke a system reboot. Upon successful reboot it launches the legitimate Avast file to load the malicious dbghelp.dll library and then subsequently loads another non-malicious program, windows media player to load the malicious .dmp file.

The malicious files have the ability to steal user information by accessing computer name and keystrokes and to connect to a remote server, submit files, invoke mouse clicks, execute commands.

During our analysis the malicious ssleay64.dll was not loaded.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Metamorfo.BZ_4(Trojan)
  • GAV: Metamorfo.BZ_5(Trojan)
  • GAV: Metamorfo.BZ_6 (Trojan)
  • GAV: Downloader.MSI (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.