Metamorfo arrives, malware spread via malspam


Bitdefender: Cybercrime has developed Metamorfo, a malware channeled via malspam and mainly targets Brazil. To spread, use the Dynamic-link library (DLL) hijacking technique

It’s called Metamorfo and it’s a malware that cybercrime is trying to spread in Brazil, but not only. Bitdefender cyber security researchers found out. The malspam campaign acts mainly through Office files manipulated with malicious macros, from which the banking trojan infection chain starts. Then, using the Dynamic-Link Library (DLL) hijacking technique, they hide the malicious code in the system and manage to elevate its privileges on the computer, forcing an application to execute third-party code simply by exchanging a library with a malicious one. Moreover, the campaign allows the execution of processes from files stored in uncommon locations (a subfolder with a random name found in the public user’s library – Documents, Music, Images, Videos, ProgramData or Downloads) with apparently random names and unusual extensions like .SCR or .PIF.

Cyber ​​Security Experts: The banking Trojan is misleading various software and security solutions

Bitdefender cyber security experts, monitoring the Metamorfo campaign, identified 5 different software components, owned by Avira, AVG and Avast, Damon Tools, Steam and NVIDIA, affected by the attack. Since some of them upload DLL files without making sure of their legitimacy, the malware is loaded and executed by a reliable process without arousing suspicion in the user. In addition, some security solutions are unable to detect the cybercrime banking trojan or block communication at the firewall level. This is because the boot process is probably classified as reliable.