[Home](https://www.fireeye.com/)  [FireEye Blogs](https://www.fireeye.com/blog.html)  [Threat Research](https://www.fireeye.com/blog/threat-research.html)  Metamorfo Campaigns Targeting Brazilian Users # Metamorfo Campaigns Targeting Brazilian Users [April 24, 2018 | by Edson Sierra, Gerardo Iglesias](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-authors/edson-sierra) FireEye Labs recently identified several widespread malspam (malware spam) campaigns targeting Brazilian companies with the goal of delivering banking Trojans. We are referring to these campaigns as Metamorfo. Across the stages of these campaigns, we have observed the use of several tactics and techniques to evade detection and deliver the malicious payload. In this blog post we dissect two of the main campaigns and explain how they work. ## Campaign #1 The kill chain starts with an email containing an HTML attachment with a refresh tag that uses a Google URL shortener as the target. Figure 1 shows a sample email, and Figure 2 show the contents of the HTML file. ----- Figure 1: Malicious Email with HTML Attachment Figure 2: Contents of HTML File When the URL is loaded, it redirects the victim to a cloud storage site such as GitHub, Dropbox, or Google Drive to download a ZIP file. An example is shown in Figure 3. Figure 3: URL Shortener Redirects to Github Link The ZIP archive contains a malicious portable executable (PE) file with embedded HTML application (HTA). The user has to unzip the archive and double-click the executable for the infection chain to continue. The PE file is a simple HTA script compiled into an executable. When the user double-clicks the executable, the malicious HTA file is extracted to %temp% and executed by mshta.exe. The HTA script (Figure 4) contains VBS code that fetches a second blob of VBS code encoded in base64 form from hxxp:///ilha/pz/logs.php. ----- Figure 4: Contents of HTA File After the second stage of VBS is decoded (Figure 5 and Figure 6), the script downloads the final stage from hxxp:///28022018/pz.zip. ----- Figure 6: More Contents of Decoded VBS The downloaded ZIP file contains four files. Two are PE files. One is a legitimate Windows tool, pvk2pfx.exe, that is abused for DLL side-loading. One is the malicious banking Trojan as the DLL. The VBS code unzips the archive, changes the extension of the legitimate Windows tool from .png to .exe, and renames the malicious DLL as cryptui.dll. The VBS code also creates a file in C:\Users\Public\Administrador\car.dat with random strings. These random strings are used to name the Windows tool, which is then executed. Since this tool depends on a legitimate DLL named cryptui.dll, the search order path will find the malicious Trojan with the same name in the same directory and load it into its process space. In Q4 of 2017, a similar malspam campaign delivered the same banking Trojan by using an embedded JAR file attached in the email instead of an HTML attachment. On execution, the Java code downloaded a ZIP archive from a cloud file hosting site such as Google Drive, Dropbox, or Github. The ZIP archive contained a legitimate Microsoft tool and the malicious Trojan. ### Banking Trojan Analysis The Trojan expects to be located in the hardcoded directory C:\\Users\\Public\Administrador\\ along with three other files to start execution. As seen in Figure 7, these files are: car.dat (randomly generated name given to Windows tool) ----- Figure 7: Contents of ZIP Archive ### Persistence The string found in the file C:\\Users\\Public\\Administrador\\car.dat is extracted and used to add the registry key Software\Microsoft\Windows\CurrentVersion\Run\ for persistence, as shown in Figure 8. Figure 8: Reading from car.dat File ----- Figure 9: Persistence Keys The VBS code in this file (Figure 10) has the ability to recreate the whole chain and download the same ZIP archive. Figure 10: Contents of VBS Script Next, the Trojan searches for several folders in the Program Files directories, including: C:\\Program Files\\AVG C:\\Program Files\\AVAST Software C:\\Program Files\\Diebold\\Warsaw C:\\Program Files\\Trusteer\\Rapport C:\\Program Files\\Java C:\\Program Files (x86)\\scpbrad ----- format shown in Figure 11. The value of AT is ”. Figure 11: Network Traffic for Host Enumeration The sample iterates through the running processes, kills the following, and prevents them from launching: msconfig.exe TASKMGR.exe regedit.exe ccleaner64.exe taskmgr.exe itauaplicativo.exe Next, it uses GetForegroundWindow to get a handle to the window the user is viewing and GetWindowText to extract the title of the window. The title is compared against a hardcoded list of Brazilian banking and digital coin sites. The list is extensive and includes major organizations and smaller entities alike. If any of those names are found and the browser is one of the following, the Trojan will terminate that browser. firefox.exe chrome.exe opera.exe ----- (Figure 12). The screenshots are continuously saved as .jpg images. Figure 12: Malware Capturing Mouse Clicks ### Command and Control The command and control (C2) server is selected based on the string in the file “id”: al -> '185.43.209[.]182' gr -> '212.237.46[.]6' pz -> '87.98.146[.]34' mn -> ’80.211.140[.]235' The connection to one of the hosts is then started over raw TCP on port 9999. The command and control communication generally follows the pattern <|Command |>, for example: '<|dispida|>logs>SAVE<' sends the screenshots collected in gh.txt. '' is sent from C2 to host, and '' is sent from host to C2, to keep the connection alive. '<|INFO|>' retrieves when the infection first started based on the file timestamp ----- this particular campaign. Figure 13: Command and Control Server Open Directories Inside the open directories, we were able to get the following directories corresponding to the different active campaigns. Inside each directory we could find statistics with the number of victims reporting to the C2. As of 3/27/2018, the numbers were: al – 843 ap – 879 gr – 397 kk – 2,153 mn – 296 pz – 536 tm – 187 A diagram summarizing Campaign #1 is shown in Figure 14. ----- Figure 14: Infection Chain of Campaign #1 ## Campaign #2 In the second campaign, FireEye Labs observed emails with links to legitimate domains (such as hxxps://s3-ap-northeast1.amazonaws[.]com//Boleto_Protesto_Mes_Marco_2018.html) or compromised domains (such as hxxps://curetusu.-industria[.]site/) that use a refresh tag with a URL shortener as the target. The URL shortener redirects the user to an online storage site, such as Google Drive, Github, or Dropbox, that hosts a malicious ZIP file. A sample phishing email is shown in Figure 15. ----- Figure 15: Example Phishing Email The ZIP file contains a malicious executable written in AutoIt (contents of this executable are shown in Figur 16). When executed by the user, it drops a VBS file to a randomly created and named directory (such as C:\mYPdr\TkCJLQPX\HwoC\mYPdr.vbs) and fetches contents from the C2 server. Figure 16: Contents of Malicious AutoIt Executable Two files are downloaded from the C2 server. One is a legitimate Microsoft tool and the other is a malicious DLL: https[:]//panel-dark[.]com/w3af/img2.jpg https[:]//panel-dark[.]com/w3af/img1.jpg Those files are downloaded and saved into random directories named with the following patterns: \<5 random chars>\<8 random chars>\<4 random chars>\<5 random chars>.exe \<5 random chars>\<8 random chars>\<4 random chars>\CRYPTUI.dll The execution chain ensures that persistence is set on the affected system using a .lnk file in the Startup directory The lnk file shown in Figure 17 opens the malicious VBS dropped ----- Figure 17: Persistence Key The VBS file (Figure 18) will launch and execute the downloaded legitimate Windows tool, which in this case is Certmgr.exe. This tool will be abused using the DLL side loading technique. The malicious Cryptui.dll is loaded into the program instead of the legitimate one and executed. Figure 18: Contents of Dropped VBS File ### Banking Trojan Analysis Like the Trojan from the first campaign, this sample is executed through search-order hijacking. In this case, the binary abused is a legitimate Windows tool, Certmgr.exe, that loads Cryptui.dll. Since this tool depends on a legitimate DLL named cryptui.dll, the search order path will find the malicious Trojan with the same name in the same directory and load it into its process space. The malicious DLL exports 21 functions. Only DllEntryPoint contains real code that is necessary to start the execution of the malicious code. The other functions return hardcoded values that serve no real purpose. ----- successful, it sends a request to hxxp://api-api[.]com/json in order to detect the external IP of the victim. The result is parsed and execution continues only if the country code matches “BR”, as shown in Figure 19. Figure 19: Country Code Check The malware creates an empty file in %appdata%\Mariapeirura on first execution, which serves as a mutex lock, before attempting to send any collected information to the C2 server. This is done in order to get only one report per infected host. The malware collects host information, base64 encodes it, and sends it to two C2 servers. The following items are gathered from the infected system: OS name OS version OS architecture AV installed List of banking software installed IP address Directory where malware is being executed from The information is sent to hxxp://108.61.188.171/put.php (Figure 20). Figure 20: Host Recon Data Sent to First C2 Server ----- Figure 21: Host Recon Data Sent to Second C2 Server The malware alters the value of registry key Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ExtendedUIHoverTime to 2710 in order to change the number of milliseconds a thumbnail is showed while hovering on the taskbar, as seen in Figure 22. ----- Like the Trojan from the first campaign, this sample checks if the foreground window s title contains names of Brazilian banks and digital coins by looking for hardcoded strings. The malware displays fake forms on top of the banking sites and intercepts credentials from the victims. It can also display a fake Windows Update whenever there is nefarious activity in the background, as seen in Figure 23. Figure 23: Fake Form Displaying Windows Update The sample also contains a keylogger functionality, as shown in Figure 24. ----- Figure 24: Keylogger Function ### Command and Control The Trojan’s command and control command structure is identical to the first sample. The commands are denoted by the <|Command|> syntax. <|OK|> gets a list of banking software installed on the host. '' is sent from C2 to host, and '' is sent from host to C2, to keep connection alive. <|dellLemb|> deletes the registry key \Software\Microsoft\Internet Explorer\notes. EXECPROGAM calls ShellExecute to run the application given in the command. EXITEWINDOWS calls ExitWindowsEx. NOVOLEMBRETE creates and stores data sent with the command in the registry key \Software\Microsoft\Internet Explorer\notes. ----- Figure 25: Partial List of Victims This sample contains most of the important strings encrypted. We provide the following script (Figure 26) in order to decrypt them. ----- Figure 26: String Decryption Script ## Conclusion The use of multi-stage infection chains makes it challenging to research these types of campaigns all the way through. As demonstrated by our research, the attackers are using various techniques to evade detection and infect unsuspecting Portuguese-speaking users with banking Trojans. The use of public cloud infrastructure to help deliver the different stages plays a particularly big role in delivering the malicious payload. The use of different infection methods combined with the abuse of legitimate signed binaries to load malicious code makes these campaigns worth highlighting. ### Indicators of Compromise #### Campaign #1 **TYPE** **HASH** **DESCRIPTION** MD5 860fa744d8c82859b41e00761c6e25f3 PE with Embedded HTA MD5 3e9622d1a6d7b924cefe7d3458070d98 PE with Embedded HTA MD5 f402a482fd96b0a583be2a265acd5e74 PE with Embedded HTA |TYPE|HASH|DESCRIPTION| |---|---|---| |MD5|860fa744d8c82859b41e00761c6e25f3|PE with Embedded HTA| |MD5|3e9622d1a6d7b924cefe7d3458070d98|PE with Embedded HTA| ----- |MD5|68f818fa156d45889f36aeca5dc75a81|PE with Embedded HTA| |---|---|---| |MD5|c2cc04be25f227b13bcb0b1d9811e2fe|cryptui.dll| |MD5|6d2cb9e726c9fac0fb36afc377be3aec|id| |MD5|dd73f749d40146b6c0d2759ba78b1764|i4.dt| |MD5|d9d1e72165601012b9d959bd250997b3|VBS file with commands to create staging directories for malware| |MD5|03e4f8327fbb6844e78fda7cdae2e8ad|pvk2pfx.exe [Legit Windows Tool]| |URL||hxxp://5.83.162.24/ilha/pz/logs.php| |URL||hxxp://5.83.162.24/28022018/pz.zip| |C2||ibamanetibamagovbr[.]org/virada/pz/logs.php| |URL||sistemasagriculturagov[.]org| |URL||hxxp://187.84.229.107/05022018/al.zip| #### Campaign #2 **TYPE** **HASH** **DESCRIPTION** MD5 2999724b1aa19b8238d4217565e31c8e AutoIT Dropper MD5 181c8f19f974ad8a84b8673d487bbf0d img1.jpg [lLegit Windows Tool] MD5 d3f845c84a2bd8e3589a6fbf395fea06 img2.jpg [Banking Trojan] MD5 2365fb50eeb6c4476218507008d9a00b Variants of Banking Trojan |TYPE|HASH|DESCRIPTION| |---|---|---| |MD5|2999724b1aa19b8238d4217565e31c8e|AutoIT Dropper| |MD5|181c8f19f974ad8a84b8673d487bbf0d|img1.jpg [lLegit Windows Tool]| |MD5|d3f845c84a2bd8e3589a6fbf395fea06|img2.jpg [Banking Trojan]| ----- |MD5|d9682356e78c3ebca4d001de760848b0|Variants of Banking Trojan| |---|---|---| |MD5|330721de2a76eed2b461f24bab7b7160|Variants of Banking Trojan| |MD5|6734245beda04dcf5af3793c5d547923|Variants of Banking Trojan| |MD5|a920b668079b2c1b502fdaee2dd2358f|Variants of Banking Trojan| |MD5|fe09217cc4119dedbe85d22ad23955a1|Variants of Banking Trojan| |MD5|82e2c6b0b116855816497667553bdf11|Variants of Banking Trojan| |MD5|4610cdd9d737ecfa1067ac30022d793b|Variants of Banking Trojan| |MD5|34a8dda75aea25d92cd66da53a718589|Variants of Banking Trojan| |MD5|88b808d8164e709df2ca99f73ead2e16|Variants of Banking Trojan| |MD5|d3f845c84a2bd8e3589a6fbf395fea06|Variants of Banking Trojan| |MD5|28a0968163b6e6857471305aee5c17e9|Variants of Banking Trojan| |MD5|1285205ae5dd5fa5544b3855b11b989d|Variants of Banking Trojan| |MD5|613563d7863b4f9f66590064b88164c8|Variants of Banking Trojan| |MD5|3dd43e69f8d71fcc2704eb73c1ea7daf|Variants of Banking Trojan| |C2||https[:]//panel- dark[.]com/w3af/img2.jpg| |C2||https[:]//panel- dark[.]com/w3af/img1.jpg| [This entry was posted on Tue Apr 24 11:00 EDT 2018 and filed under Trojan, Malware,](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-tags/trojan) ----- ## Sign up for email updates Get information and insight on today's advanced threats from the leader in advanced threat prevention. First Name Last Name Email Address Company Name Threat Research Blog Products and Services Blog Executive Perspectives Blog SUBSCRIBE ----- [About FireEye](https://www.fireeye.com/company/why-fireeye.html) [Customer Stories](https://www.fireeye.com/customers.html) [Careers](https://www.fireeye.com/company/jobs.html) [Partners](https://www.fireeye.com/partners.html) [Investor Relations](http://investors.fireeye.com/) [Supplier Documents](https://www.fireeye.com/company/supplier.html) [Newsroom](https://www.fireeye.com/company/newsroom.html) [Press Releases](https://www.fireeye.com/company/press-releases.html) [Webinars](https://www.fireeye.com/company/webinars.html) [Events](https://www.fireeye.com/company/events.html) [Awards and Honors](https://www.fireeye.com/company/awards.html) [Email Preferences](https://www2.fireeye.com/manage-your-preferences.html) [Incident?](https://www.fireeye.com/company/incident-response.html) [Report Security Issue](https://www.fireeye.com/company/security.html) [Contact Support](https://www.fireeye.com/support/contacts.html) [Customer Portal](https://csportal.fireeye.com/secur/login_portal.jsp?orgId=00D3000000063LS&portalId=06030000000pSNE) [Communities](https://community.fireeye.com/welcome) [Documentation Portal](https://docs.fireeye.com) [Threat Research](https://www.fireeye.com/blog/threat-research.html) [Products and Services](https://www.fireeye.com/blog/products-and-services.html) [Executive Perspectives](https://www.fireeye.com/blog/executive-perspective.html) Threat Map [View the Latest Threats](https://www.fireeye.com/cyber-map/threat-map.html) 1 877 347 3393 Stay Connected ##  ##  Copyright © 2018 FireEye, Inc. All rights reserved. [Privacy & Cookies Policy | Privacy Shield | Legal Documentation](https://www.fireeye.com/company/privacy.html) Site Language English  -----