Metamorfo malspam campaigns pushing banking malware to victims in Brazil

• The banking malware variants are designed to steal credentials and card payment data.
• Researchers spotted two Metamorfo campaigns pushing banking malware that cropped up in late October and early November.

Two new Metamorfo malspam campaigns have been spotted by security experts. The campaigns have been pushing banking malware variants that are capable of stealing credentials and card payment data. These campaigns are specifically targeting customers of financial institutions in Brazil.

According to Cisco Talos researchers, who discovered the new campaigns, the cybercriminals behind these attacks used shortened links to distribute the banking malware variants.

Since most corporate organizations allow employees to access shortened links, this makes it more likely that victims click on malicious shortened links. Researchers found 699 clicks on the malicious shortened link pushed by the first malware campaign.

Modus operandi

“These campaigns used different file types for the initial download and infection process, and ultimately delivered two separate banking trojans that target Brazilian financial institutions. Both campaigns used the same naming convention for various files used during the infection process and featured the abuse of link-shortening services to obscure the actual distribution servers used,” Cisco Talos researchers wrote in a blog.

Although both campaigns use shortened links, the second campaign, which began in early November, uses a different malware delivery method and targets Portuguese-speaking victims.

“Both of these campaigns eventually deliver a banking trojan. However, Talos identified additional tools and malware hosted on the Amazon S3 Bucket. This malware is a remote administration tool with the capability to create emails,” the researchers added. “The emails are created on the BOL Online email platform, an internet portal that provides email hosting and free email services in Brazil. The attacker's main goal appears to be creating a botnet of systems dedicated to email creation.”

Infection rate

The researchers found 700 compromised 700 systems, which the first machine compromised on October 23. The researchers also found that a botnet created over 4,000 unique emails on the BOL service, some of which were used to launch the spam campaigns.

The financial organizations being targeted by the two campaigns are Santander, Itaù, Banco do Brasil, Caixa, Sicredi, Bradesco, Safra, Sicoob, Banco da Amazonia, Banco do Nordeste, Banestes, Banrisul, Banco de Brasilia and Citi.

“This strain of malware is prevalent throughout the world and is further proof that banking trojans remain popular. With this sample, the attacker targets specific Brazilian banking institutions. This could suggest the attacker is from South America, where they could find it easier to use the obtained details and credentials to carry out illicit financial activities,” Cisco Talos researchers said.