Banking Trojans are a constant danger for the financial sector. This kind of malware steals its victims’ online identity and use this information to trick financial institutions and steal money from their accounts. Over the last few years, we’ve seen many examples of this kind of cybercrime. Last year, one of the most noteworthy banking Trojans was BackSwap, which used a range of advanced techniques to get around cybersecurity controls.

As with many types of malware and cybercrime, the creators of banking Trojans are constantly seeking new ways to endanger their victims’ cybersecurity and steal their data or even their money.

Metamorfo: the banking Trojan spreads

Metamorfo is a banking Trojan that was discovered in April 2018. To begin with, its activity was limited to Brazil, where it gathered its victims’ information, including screen shots and their browsing history, in order to steal money from their online bank accounts. Now, in February this year, cybersecurity researchers have begun to detect more extended campaigns using this Trojan.

This new movement aims to gather credit card numbers, financial information, and other kinds of personal data. The Trojan has been detected in clients of over 20 online banks in the USA, Canada, Chile, Spain, Brazil, Mexico and Ecuador.

A Trojan with many tricks up its sleeves

As is the case with so many other malicious campaigns, Metamorfo starts with phishing. In this case, the email claims to contain information regarding an invoice, and invites the user to download a .zip file. When this file is downloaded and executed, Metamorfo can begin to function on Windows machines.

Once installed—and having checked that it isn’t running in a sandbox or a virtual environment—the malware runs an AutoIt script execution program. This scripting language is designed to automate the Windows graphical user interface and general scripting, but it has also been employed in malware attacks to bypass antivirus systems.

When it is running on a compromised Windows system, Metamorpho closes any browser that is being used, and stops any new browser window from using auto-complete in data-entry fields. This way, the malware forces the victim to retype their username and password, which allows the malware’s keylogger to gather this valuable information and send it to the C2 server.

So as not to waste any chances to gather this data, Metamorfo also has a feature that monitors 23 keywords related to the affected banks. This way, when the victim accesses the bank’s services, the attackers are forewarned.

How can Metamorfo be stopped?

The fact that this threat uses email as its main attack vector means that the first thing that needs to be done to stop Metamorfo from causing economic damage in the company is to monitor emails. In order to ensure that no threat can get into the organization through this vector, it is vital to train employees to recognize phishing emails.

It is also vital to have advanced protections. Panda Email Protection provides multilayer protection against all kinds of spam and malware in real time. The advanced scanning technology is carried out from the cloud, simplifying security management, since it can be used from anywhere, at any time, simply by accessing the web console.

Even if an email doesn’t have any of the “classic” indications of phishing, but still arouses suspicions because of the sender, the subject, or any other suspicious element, it is always best to double check its contents, especially if it is about bank transfers.

Finally, as can be said of most cybersecurity problems, the risks related to being attacked over email can be avoided with a combination of human and technological factors: common sense and employee training in order to acquire experience and prevent and detect attacks, along with the use of advanced cybersecurity platforms that have the capacity to warn of any dangers that we may have overlooked.