Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Metamorfo

88
Global rank
110 infographic chevron month
Month rank
117
Week rank
0
IOCs

Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil.

Trojan
Type
Unknown
Origin
1 April, 2018
First seen
28 January, 2025
Last seen
Also known as
Casbaneiro

How to analyze Metamorfo with ANY.RUN

Type
Unknown
Origin
1 April, 2018
First seen
28 January, 2025
Last seen

IOCs

IP addresses
18.184.132.208
80.211.249.77
191.232.234.184
62.72.22.30
152.89.247.161
52.138.9.49
20.92.164.32
149.100.158.179
149.56.173.89
187.84.229.107
3.136.20.196
186.192.140.7
172.200.176.88
45.32.90.70
154.223.16.114
154.56.63.216
168.119.104.103
108.61.188.171
18.209.163.113
5.83.162.24
Domains
backupdataz.com
apkelites10.com
157.150.167.72.host.secureserver.net
mydhtv.ddns.net
som.servemp3.com
viewfilers.live
ambjulio.com
srv99.tk
novodoid.ddns.net
org.freedynamicdns.net
k9b.site
egtdhfhnjgj.for-our.info
hackorchronix.no-ip.biz
frances.gotdns.ch
hotliksjfu.isa-hockeynut.com
bejnz.com
contas.store
familysinaloa.website
pgs99.online
contratakpuma.duckdns.org
URLs
http://159.100.18.13/INFB/index14.php
http://159.100.18.13/ps/index14.php
http://159.100.18.13/ps1/index14.php
http://159.100.18.13/ldht/index26.php
http://181.214.48.57/coder/registra.php
http://3.145.213.63/contador/serv.php
http://86.38.217.167/ps1/index.php
http://86.38.217.167/ps/index.php
http://86.38.217.167/09/index.php
http://172.233.14.110/webmasterfox/registra.php
http://172.233.14.110/ninho/ybnzkvj.php
http://107.175.70.216/greelo/ybnzkvj.php
http://54.39.10.86/c/serv.php
http://86.38.217.167/relat/index.php
http://86.38.217.167/13/index.php
http://86.38.217.167/ld/index.php
http://86.38.217.167/vth/vth
http://adbd.tech/26/index.php
http://86.38.217.167/07/index.php
http://86.38.217.167/21/index.php
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 220
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 596
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1488
comments 0

What is Metamorfo malware?

Metamorfo, also known as Casbaneiro, is a trojan malware family used for exfiltrating financial information. The operators behind the malicious software spread it primarily via phishing campaigns. While initially, users living in Brazil were the core victims of the malware, the attackers later expanded the list of targeted countries.

Keylogging serves as the main method of collecting information from the infected devices. To facilitate the process, Metamorfo can display fake bank forms requesting users’ credentials. At the same time, the malware can also be employed to steal other sensitive data, as well as take screenshots.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Metamorfo malicious software

One of the ways Metamorfo manages to collect users’ login banking info is by first killing all the browser processes and then modifying the registry to disable auto-complete and auto-suggest. This is done to force the user to enter their login and other form details manually, allowing Metamorfo’s keylogging capability to record the keys they press.

Metamorfo also can scan the clipboard and replace any saved crypto wallet address with that of the attacker. As a result, victims may unknowingly send their funds to criminals.

On top of that, the malware can search for certain files on the infected device using specific keywords and exfiltrate them to the attacker. Metamorfo can also download additional files from its C2, meaning that it can update itself and install other malicious software.

Many attacks involving the malware have been observed to implement DLL hijacking. This technique enables Metamorfo to run its code with the help of legitimate processes, which allows it to stay undetected by traditional security solutions.

The malware can also display fake security pop-ups of popular Brazilian banks, informing the users that their account has been compromised. The next window then requests the victim to share their login credentials.

Metamorfo gains persistence on the system by creating a task that launches the malware at every new startup.

Execution process of Metamorfo

Let’s upload a sample of Metamorfo to the ANY.RUN sandbox to explore its execution chain.

This particular Trojan family often employs a deceptive strategy of embedding itself into installers that unsuspecting users download in the hopes of installing legitimate software. Our analyzed sample, also in MSI format, deviates from this common modus operandi by employing more sophisticated installation techniques. Instead of relying on fake installer windows to blend in, it utilizes a combination of a hidden window and the header "Installation Database" to conceal its installation process.

Upon execution, the downloaded sample establishes a connection to a remote server to retrieve the primary payload, Metamorfo. Once Metamorfo is downloaded, it is launched, initiating a series of malicious activities. These activities include creating a file in the startup directory to ensure its persistent operation and, to evade detection, subsequently removing this file from the startup registry.

Once established, the dropped file, SlimBoat, takes center stage, orchestrating a coordinated attack on the compromised system. It loads additional modules, establishes a connection to the remote server, and embarks on the primary objective of exfiltrating sensitive information.

Metamorfo process tree shown in ANY.RUN Metamorfo's process tree demonstrated in ANY.RUN

Distribution methods of the Metamorfo malware

Similar to other trojan malware families like Agent Tesla and Remcos, Metamorfo is distributed using phishing emails with malicious attachments in the form of archives with an .MSI file inside and PDFs. In some attacks, criminals also send links. The subject of the email usually concerns finance, asking the recipient to conduct an invoice payment.

Conclusion

Despite being active since 2018, Metamorfo continues to pose a major threat to users in Brazil and other countries, including the United States. Organizations without reliable security measures in place are particularly vulnerable to such attacks. As Metamorfo typically spreads through emails, checking all the incoming files and links should be top priority for organizations that do not wish to fall victim to the malware.

ANY.RUN is a cloud-based malware analysis sandbox that lets you quickly analyze any suspicious file and URL to determine whether it is malicious. The service also generates reports on the threats identified, containing all the necessary intelligence, including indicators of compromise (IOCs).

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Mallox screenshot
Mallox
mallox
Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks.
Read More