Posted on June 4, 2020 at 6:20 PM
Bitdefender researchers Ruben Andrei and Janos Gergo have uncovered a new type of banking Trojan that attacks computer systems used by individuals and organizations. The Trojan, known as metamorfo, utilizes genuine software components to breach computers.
The Metamorfo Trojan is part of the Trojan group that has been active since 2018. The Trojan is used to target computer systems in Brazil and is sent in spam attachments through office files rigged with macros.
Bitdefender researchers revealed that the malware is very potent and dangerous in its operations. The main goal of the malware is to carry out cyber theft of personal data and banking information from the user and transfer it to the C2 server.
Metamorfo uses a highly effective method
Presently, the researchers said Metamorfo uses a highly sophisticated technique known as DDL hijacking to hide from any scrutiny by a host computer or cybersecurity firm. After concealing its presence in the system, it tries to improve its privileges on the targeted system.
The researchers also revealed that the malware had tried downloading other files from the C2 server. With this recent activity, the malware may download an updated version of itself with a broader command set.
About DLL hijacking
DLL hacking is a method used by an actor to force applications to run third-party codes. This happens by dropping a malicious library on the search path or when they swap a malicious code library in place of the genuine one.
In this case, the attacker could get a malicious file executed when they can get onto a victim’s machine. The file can be executed automatically whenever the user runs a genuine application vulnerable to the DLL hijacking.
Hackers replace genuine codes with a malicious one
In the real world, the attackers can make legitimate applications vulnerable and place them beside the DLL hijacking file, in which the targeted application eventually loads. Sometimes, the user may be helping to execute the malicious file without their notice.
That’s because the user will still think he is running the genuine code whereas it has been substituted and replaced with a malware-infested code. The hackers substitute the genuine DLL and replace it with the one with malicious code. As a result, the application will load and executes the hacker’s code instead of the legitimate code.
Attack affected major software vendors
The Bitdefender security team said the Trojan attack affected 5 different software components from major software vendors. These vendors include NVIDIA, Steam, Damon Tools, Avast, AVG, and Avira.
Some of the components in the products do not verify the authenticity of the files but still load the DLL files. As a result, the malicious code goes through a legitimate process before being loaded and executed. That means users may not suspect any malware activities or other problems even when they look through a file manager. The malware in the DLL file will remain hidden while the malware goes at work.
Also, many security software will not detect this malware as harmful to the system because the execute code had already screened the file as being genuine. That’s why security researchers are pointing out the devastating impact the malware can cause. It has been whitelisted by the system as legitimate, so the security solutions will not detect the malware file.
The trojan is seen as a legitimate app
Genuine applications usually have an Authenticode to show the application is legitimate. This malware may eventually look for higher privileges in the host system, which may be granted. In this case, when the antivirus software prompts the user for changes of updates, they may not question the decision.
That is how the Trojan malware was able to infiltrate the systems because the actors were able to replace the genuine application with the malware app. As a result, the system was unable to do much to detect the danger. That’s why the security researchers have termed the malware as very sophisticated.