Stealing banking details of users has become a common practice of attackers in recent times. A report published by the cybersecurity researchers at Fortinet detailed about a malware that is targetting online banks globally.
As per the report, the banking trojan, Metamorfo has targetted users of more than 20 prominent online banks in North and South America. This includes countries like Canada, Peru, Brazil, Mexico, Spain, Chile, Equador and even the US.
How Metomorfo Works
In this phishing scam, the attack starts with an email. These phishing emails sent to users of the banks claim to contain information about an invoice or a bill. To access the invoice content, the email requests the user to download a file that is in .ZIP format. Once the user downloads and runs the file on a Windows PC, the attack starts.
When a user runs the file, it performs a check to ensure that it is not running in a sandbox or a virtual environment. Then it decompresses the .ZIP file in a newly-created random string folder. The folder contains three files with random names. One of these three files is an Autolt Script execution program. The main reason for using an Autolt could be to bypass detection by any antivirus software, according to a Fortinet researcher.
Now as the Metamorfo trojan is ready to go on the victim computer, it starts by terminating the running browsers such as Firefox, Chrome, Microsoft Edge and Opera. After the termination process, it moves on to modify some of the registry key values in order to disable the auto-suggest and auto-fill functionality of the browsers.
Now, the users have to type whole URLs, log in details and passwords in the browsers, with the auto-suggest and auto-fill functions disabled. This simple trick allows the keylogger function of the malware to record the actions from the input of the victim. Apart from these inputs, the malware also collects information about the system, such as OS version, computer name, and other general info.
After full execution, the malware then sends a “Post Packet” to the attacker’s command and control server. This is to inform the attacker that a computer has been infected. The malware also has a function that can monitor 32 keywords that are linked to the targetted banks. It uses these keywords to notify the attacker in real-time as to when the victim is trying to access the banking services.
How to Prevent The Attack
Now to prevent falling prey to this malware, first, you should be careful about unknown or suspicious emails. Even if the emails claim to contain valuable information, be sure to check the source of the email and the file it requests you to download. Also, be sure to run the latest version of the software in your machine with all the latest security updates. Installing an antivirus can also help in detecting the malware before it is run on the system.