This crafty malware makes you retype your passwords so it can steal them

Metamorfo banking trojan has expanded its campaign to target online users' banking services.
Written by Danny Palmer, Senior Writer

A trojan malware campaign is targeting online banking users around the world with the aim of stealing credit card information, finances and other personal details.

Detailed by cybersecurity researchers at Fortinet, the Metamorfo banking trojan has targeted users of over 20 online banks in countries around the world including the US, Canada, Peru, Chile, Spain, Brazil, Ecuador and Mexico.

It marks an escalation in the attacks, which last month appeared to be restricted to compromising banks in Brazil but have now spread to other targets.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Like many other hacking campaigns, Metamorfo begins with phishing emails that in this case claim to contain information about an invoice and invite the user to download a .ZIP file. By downloading and running the file, the victim allows Metamorfo to execute and run on a Windows machine.

After installation – and after checking to ensure it isn't running in a virtual environment or sandbox – the malware runs an Autolt script execution program. This scripting language is designed for automating the Windows graphical user interface and other general scripting – but has been used by malware as a means of bypassing antivirus detection.

Once running on the compromised Windows system, Metamorfo terminates any running browsers and then prevents any new browser windows from using auto-complete and auto-suggest in data entry fields.

This prevents the user from using auto-complete functions to enter usernames, passwords and other information, allowing the malware's keylogger functionality to collect the data the users are thus obliged to retype. It then sends that data back to a command-and-control server run by the attackers.

Metamorfo even includes a function that monitors 32 keywords associated with the targeted banks, likely so that the attackers can be alerted in real time as to when a victim is trying to access online services.

Researchers haven't revealed the keywords or the names of the financial institutions being targeted, as it's likely the Metamorfo campaign is still active.

SEE: Malware stew cooked up on Bitbucket, deployed in attacks worldwide

To help protect against falling victim to attacks using the malware, users should be wary of unexpected emails and attachments, while using an antivirus product can also help detect the malware.

Ensuring that operating systems and software are both patched and up-to-date can also go a long way to stopping malware being successful as many attacks use known vulnerabilities that can be patched against.


Editorial standards