Metamorfo Banking Trojan spotted using Avast Utility
The SonicWall Capture Labs Threat Research Team has spotted Metamorfo malware known to distribute banking Trojans using a legitimate tool by Avast, a popular security product. The malware arrives as a seemingly harmless Adobe installer and to evade detection it uses a renamed copy of the Avast memory dumping tool to load its malicious components.
The Trojan arrives as a windows installer database, MSI file.
It uses the following file properties pretending to be an Adobe Acrobat Reader installer.
Upon execution, it displays a fake splash window that makes the victim believe that Adobe Reader is being installed.
It downloads a fake image file, with a PNG extension which is in fact a ZIP archive containing additional components.
The archive is then unpacked into the %APPDATA% directory which contains the following files:
- %APPDATA%/yDnKLM.exe - non-malicious renamed AVDump32.exe utility from Avast
- %APPDATA%/yDnKLM.dmp – malicious file detected as GAV: Metamorfo.BZ_2 (Trojan)
- %APPDATA%/dbghelp.dll – malicious file detected as GAV: Metamorfo.BZ_ (Trojan)
- %APPDATA%/ ssleay64.dll – malicious file detected as GAV: Metamorfo.BZ_3 (Trojan)
- %APPDATA%/borlndmm.dll – non-malicious Borland Memory Manager library
- %APPDATA%/libeay32.dll – non-malicious OpenSSL library
- %APPDATA%/ ssleay32.dll – non-malicious OpenSSL library
The installer will then invoke a system reboot. Upon successful reboot it launches the legitimate Avast file to load the malicious dbghelp.dll library and then subsequently loads another non-malicious program, windows media player to load the malicious .dmp file.
The malicious files have the ability to steal user information by accessing computer name and keystrokes and to connect to a remote server, submit files, invoke mouse clicks, execute commands.
During our analysis the malicious ssleay64.dll was not loaded.
Sonicwall Capture Labs provides protection against this threat via the following signatures:
- GAV: Metamorfo.BZ_4(Trojan)
- GAV: Metamorfo.BZ_5(Trojan)
- GAV: Metamorfo.BZ_6 (Trojan)
- GAV: Downloader.MSI (Trojan)
This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.