{
	"id": "37c5b3d1-e3bc-47ad-8200-838d86585f4a",
	"created_at": "2026-04-06T01:29:32.661623Z",
	"updated_at": "2026-04-10T03:21:56.949981Z",
	"deleted_at": null,
	"sha1_hash": "32eb849de632d31b2826745c26d92c9cc063908c",
	"title": "Metamorfo Banking Trojan Keeps Its Sights on Brazil",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1782391,
	"plain_text": "Metamorfo Banking Trojan Keeps Its Sights on Brazil\r\nBy Paul Rascagneres\r\nPublished: 2018-11-08 · Archived: 2026-04-06 00:31:24 UTC\r\nThursday, November 8, 2018 12:09\r\nThis blog post was authored by Edmund Brumaghin, Warren Mercer, Paul Rascagneres, and Vitor Ventura.\r\nExecutive Summary\r\nFinancially motivated cybercriminals have used banking trojans for years to steal sensitive financial information\r\nfrom victims. They are often created to gather credit card information and login credentials for various online\r\nbanking and financial services websites so this data can be monetized by the attackers. Cisco Talos recently\r\nidentified two ongoing malware distribution campaigns being used to infect victims with banking trojans,\r\nspecifically financial institutions' customers in Brazil. Additionally, during the analysis of these campaigns, Talos\r\nidentified a dedicated spam botnet that is currently delivering malicious spam emails as part of the infection\r\nprocess.\r\nDistribution campaigns\r\nWhile analyzing these campaigns, Talos identified two separate infection processes that we believe attackers have\r\nused between late October and early November. These campaigns used different file types for the initial download\r\nand infection process, and ultimately delivered two separate banking trojans that target Brazilian financial\r\ninstitutions. Both campaigns used the same naming convention for various files used during the infection process\r\nand featured the abuse of link-shortening services to obscure the actual distribution servers used. The use of link\r\nshorteners also allows some additional flexibility. Many organizations allow their employees to access link\r\nhttps://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nPage 1 of 13\n\nshorteners from corporate environments, which could enable the attacker to shift where they are hosting malicious\r\nfiles, while also enabling them to leverage these legitimate services in email-based campaigns.\r\nCampaign 1\r\nTalos identified a spam campaign using a zipped file hosted on a free web hosting platform. This archive contains\r\na Windows LNK file (Link). During this campaign, the filename followed the following format:\r\n\"Fatura-XXXXXXXXXX.zip,\" where \"XXXXXXXXXX\" is a 10-digit numeric value.\r\nThe LNK file format was:\r\n\"__Fatura pendente - XXXX.lnk,\" where \"XXXX\" is a four-digit alphanumeric value.\r\nThe purpose of the LNK file was to download a PowerShell script with an image filename extension (.bmp or\r\n.png):\r\nThe purpose of this command is to download and execute a PowerShell script from the attacker's URL. This new\r\nPowerShell script is also obfuscated:\r\nThis script is used to download an archive hosted on Amazon Web Services (AWS):\r\nhXXps://s3-eu-west-1[.]amazonaws[.]com/killino2/image2.png.\r\nhttps://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nPage 2 of 13\n\nThis archive contains two files:\r\nA dynamic library (.DLL)\r\nA compressed payload (.PRX)\r\nThe library decompresses the PRX file and executes it in a remote process (library injection). This injected code is\r\nthe final payload described later in this post.\r\nCampaign 2\r\nIn addition to the infection process described in Campaign 1, Talos also observed a second series of campaigns\r\nthat leveraged a different process to deliver and execute malware on victim systems. This campaign also appeared\r\nto target Portuguese-speaking victims.\r\nIn this series of campaigns, attackers leveraged malicious PE32 executables to perform the initial stage of the\r\ninfection process rather than Windows shortcut files (LNK). These PE32 executables were delivered in ZIP\r\narchives using the following naming convention:\r\n\"Fatura-XXXXXXXXXX.zip,\" where \"XXXXXXXXXX'\" is a 10-digit numeric value.\r\nA PE32 executable is inside of the ZIP archive. These executables used the following naming convention:\r\n\"__Fatura pendente - XXXX.exe,\" where \"XXXX\" is a four-digit alphanumeric value.\r\nWhen executed, these PE32 files are used to create a batch file in a subdirectory of %TEMP%.\r\nThe Windows Command Processor is then used to execute the batch file which, in turn, executes PowerShell with\r\nthe instructions to download the contents hosted on the attacker-controlled server and pass it to the Invoke-https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nPage 3 of 13\n\nExpression (IEX) using the following syntax:\r\nThe batch file is then deleted and the infection process continues.\r\nWhen the system reaches out to Bitly, the link shortener, to access the contents hosted at the shortened link\r\ndestination, an HTTP redirection redirects the client to the attacker-controlled server hosting a PowerShell script\r\nthat is passed into IEX and executed as previously described. The server delivers the following PowerShell:\r\nThis PowerShell script retrieves and executesthe malicious payload that is being delivered to the system. This\r\nPowerShell also leverages the Bitly service, as seen in the previous screenshot.\r\nWith Bitly links, users can obtain some further information by adding the \"+\" sign to the end of the shortened\r\nURL. By doing this, we discovered that the link was created on Oct. 21, most likely around the campaign start\r\ntime, and the number of clicks that have been registered through the Bitly service, we identified 699 clicks so far.\r\nWhile the HTTP request is made for a JPEG and the content type specified is \"image/jpeg,\" the server actually\r\ndelivers a ZIP archive containing a Windows DLL file called \"b.dll.\"\r\nhttps://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nPage 4 of 13\n\nThe script then executes sleep mode for 10 seconds after which it extracts the archive and saves the DLL to a\r\nsubdirectory of %APPDATA% on the system. RunDLL32 is then used to execute the malware, infecting the\r\nsystem. The uncompressed DLL is very large, approximately 366MB in size, due to the inclusion of a large\r\nnumber of 0x00 within the binary. This may have been used to evade automated detection and analysis systems, as\r\nmany will not properly process large files. Similarly, this will avoid sandbox detonation, as most sandboxes will\r\nnot allow files of this size.\r\nAdditionally, infected systems beacon to an attacker-controlled server (srv99[.]tk) during the infection process.\r\nAnalysis of the DNS communications associated with this domain shows an increase in attempts to resolve this\r\ndomain, which corresponds with the campaigns that have been observed.\r\nThe majority of these resolution requests have occurred from systems located in Brazil.\r\nhttps://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nPage 5 of 13\n\nThe PowerShell execution also facilitates communications with a dynamic DNS service. Similarly to the first\r\nBitly link, we were able to obtain additional information in relation to this domain:\r\nWe once again see a creation time, but this time, it's a few days later. This potentially shows the actor pivoting to a\r\ndifferent email list to send the same spam information to.\r\nSpam tools\r\nBoth of these campaigns eventually deliver a banking trojan. However, Talos identified additional tools and\r\nmalware hosted on the Amazon S3 Bucket. This malware is a remote administration tool with the capability to\r\ncreate emails. The emails are created on the BOL Online email platform, an internet portal that provides email\r\nhosting and free email services in Brazil. The attacker's main goal appears to be creating a botnet of systems\r\ndedicated to email creation.\r\nThe malware is developed in C# and contains many Portuguese words.\r\nHere is the function used to create a BOL email:\r\nhttps://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nPage 6 of 13\n\nOnce created, the randomly generated username and password are sent to a C2 server. BOL Online uses a\r\nCAPTCHA system to keep machines from creating emails. To bypass this protection, the malware author uses the\r\nRecaptcha API with the token provided from the C2 server:\r\nDuring our investigation, all the created emails were prefixed by \"financeir.\"\r\nThe trojan has the capability to clean itself, send created email credentials and restart, download and execute\r\nbinaries provided by the C2 server.\r\nTalos identified three C2 servers:\r\nhxxp://criadoruol[.]site/\r\nhxxp://jdm-tuning[.]ru/\r\nhxxp://www[.]500csgo[.]ru\r\nhttps://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nPage 7 of 13\n\nWe identified more than 700 compromised systems on the servers that are members of his botnet. The oldest\r\nmachine was compromised on Oct. 23. This botnet created more than 4,000 unique emails on the BOL Online\r\nservice using the the aforementioned technique. Some of these emails were used to initiate the spam campaigns\r\nwe tracked as part of this research.\r\nGiven the filename patterns, the victimology along with the specific targeting aspect of both campaigns, Talos\r\nassesses with moderate confidence that both of these campaigns leveraged the same email generation tool we\r\ndiscovered on the actors open S3 Bucket. This shows a link between both campaigns to the same actor using the\r\nsame toolset. Likely the actor attempted to use different delivery methods and email lists to deliver his malspam.\r\nFinal payload\r\nWe identified two different payloads deployed during these campaigns. The payloads are developed in Delphi and\r\nare banking trojans targeting Brazilian banks.\r\nFellow security firm FireEye already covered the first payload here. It gets information on the compromised\r\nsystem and exfiltrates the data to a C2 server. It also includes a keylogger, which is exactly the same as the\r\nkeylogger we described in this post. When the user is logged into their bank's website, the malware can interact\r\nwith them by showing a fake popup alleging to be from the bank. Here is an example that attempts to steal the\r\nuser's CVV:\r\nhttps://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nPage 8 of 13\n\nThe second one has exactly the same features but is implemented differently. It mainly targets two=factor\r\nauthentication by displaying fake popups to the user:\r\nhttps://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nPage 9 of 13\n\nA keylogger then retrieves the information entered by the target.\r\nThe following financial services organizations are being targeted by this malware: Santander, Itaù, Banco do\r\nBrasil, Caixa, Sicredi, Bradesco, Safra, Sicoob, Banco da Amazonia, Banco do Nordeste, Banestes, Banrisul,\r\nBanco de Brasilia and Citi.\r\nConclusion\r\nThis strain of malware is prevalent throughout the world and is further proof that banking trojans remain popular.\r\nWith this sample the attacker targets specific Brazilian banking institutions. This could suggest the attacker is\r\nfrom South America, where they could find it easier to use the obtained details and credentials to carry out illicit\r\nfinancial activities. We will continue to monitor financial crimeware activities throughout the threat landscape.\r\nThis is not a sophisticated trojan, and most banking malware rarely is, but it's the latest example of how easy it can\r\nbe for criminals steal from users by abusing spam to send their malicious payloads.This threat also shows the\r\nlengths that actors are going to in order to obtain additional emails to abuse, creating an automatic generation\r\nmechanism to get new emails for additional spam campaigns.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nPage 10 of 13\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such asNext-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise (IOCs)\r\nThe following IOCs are associated with various malware distribution campaigns that were observed during the\r\nanalysis of associated malicious activity.\r\nCampaign #1\r\nStage 1 Downloaders (LNK Shortcuts):\r\n627a24cb61ace84a51dd752e181629ffa6faf8ce5cb152696bd65a1842cf58fd\r\nStage 1 Downloaders Filenames (LNK Shortcuts):\r\n_Fatura pendente - HCBF.lnk\r\nhttps://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nPage 11 of 13\n\nStage 2 URLs\r\nhxxps://marcondesduartesousa2018[.]000webhostapp[.]com/downs/imagemFr.bmp\r\nhxxps://s3-eu-west-1[.]amazonaws[.]com/killino2/image2.png\r\nStage 2 Powershell\r\n01fd7fdb435d60544d95f420f7813e6a30b6fa64bf4f1522053144a02f961e39\r\nStage 3 Archive\r\na01287a79e76cb6f3a9296ecf8c147c05960de44fe8b54a5800d538e5c745f84\r\nStage 3 Loader\r\n1ed49bd3e9df63aadcb573e37dfcbafffbb04acb2e4101b68d02ecda9da1eee7\r\nStage 3 Compressed Payload\r\n3ff7d275471bb29199142f8f764674030862bc8353c2a713333d801be6de6482\r\nStage 4 Final Payload\r\n61df7e7aad94942cb0bb3582aed132660caf34a3a4b970d69359e83e601cbcdb\r\nCampaign #2\r\nStage 1 PE32 Executables:\r\n3b237b8a76dce85e63c006db94587f979af01fbda753ae88c13af5c63c625a12\r\n46d77483071c145819b5a8ee206df89493fbe8de7847f2869b085b5a3cb04d2c\r\nbce660e64ebdf5d4095cee631d0e5eafbdf052505bc5ff546c6fbbb627dbff51\r\n7b241c6c12e4944a53c84814598695acc788dfd059d423801ff23d1a9ed7bbd2\r\n91781126feeae4d1a783f3103dd5ed0f8fc4f2f8e6f51125d1bfc06683b01c39\r\nStage 1 PE32 Filenames:\r\n_Fatura pendente - QD95.exe\r\n_Fatura pendente - QW2I.exe\r\n_Fatura pendente - 9X3H.exe\r\nStage 1 Archive Filenames:\r\nFatura-2308132084.zip\r\nhttps://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nPage 12 of 13\n\nStage 1 URLs:\r\nhxxp://pgs99[.]online:80/script.txt\r\nhxxp://pgs99[.]online:80/bb.jpg\r\nStage 1 Domains:\r\npgs99[.]online\r\nStage 2 URLs:\r\nhxxp://srv99[.]tk:80/conta/?89dhu2u09uh4hhy4rr8\r\nhxxp://srv99[.]tk:80/favicon.ico\r\nLink Shorteners:\r\nhxxps://bit[.]ly/2CTUB9H#\r\nhxxps://bit[.]ly/2SdhUQl?8438h84hy389\r\nC2 Domains:\r\nhxxp://mydhtv[.]ddns[.]net:80/\r\nSpam tools\r\nPE Sample:\r\n2a1af665f4692b8ce5330e7b0271cfd3514b468a92d60d032095aebebc9b34c5\r\nC2 Servers:\r\nhxxp://criadoruol[.]site/\r\nhxxp://jdm-tuning[.]ru/\r\nhxxp://www[.]500csgo[.]ru/\r\nFinal Payload\r\nPE Samples:\r\n61df7e7aad94942cb0bb3582aed132660caf34a3a4b970d69359e83e601cbcdb\r\n4b49474baaed52ad2a4ae0f2f1336c843eadb22609eda69b5f20537226cf3565\r\nSource: https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nhttps://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html"
	],
	"report_names": [
		"metamorfo-brazilian-campaigns.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775438972,
	"ts_updated_at": 1775791316,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/32eb849de632d31b2826745c26d92c9cc063908c.pdf",
		"text": "https://archive.orkl.eu/32eb849de632d31b2826745c26d92c9cc063908c.txt",
		"img": "https://archive.orkl.eu/32eb849de632d31b2826745c26d92c9cc063908c.jpg"
	}
}