Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Metamorfo

88
Global rank
109 infographic chevron month
Month rank
117 infographic chevron week
Week rank
0
IOCs

Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil.

Trojan
Type
Unknown
Origin
1 April, 2018
First seen
28 January, 2025
Last seen
Also known as
Casbaneiro

How to analyze Metamorfo with ANY.RUN

Type
Unknown
Origin
1 April, 2018
First seen
28 January, 2025
Last seen

IOCs

IP addresses
18.184.132.208
80.211.249.77
191.232.234.184
62.72.22.30
152.89.247.161
52.138.9.49
20.92.164.32
149.100.158.179
149.56.173.89
187.84.229.107
3.136.20.196
186.192.140.7
172.200.176.88
45.32.90.70
154.223.16.114
154.56.63.216
168.119.104.103
108.61.188.171
18.209.163.113
5.83.162.24
Domains
backupdataz.com
apkelites10.com
157.150.167.72.host.secureserver.net
mydhtv.ddns.net
som.servemp3.com
viewfilers.live
ambjulio.com
srv99.tk
novodoid.ddns.net
org.freedynamicdns.net
k9b.site
egtdhfhnjgj.for-our.info
hackorchronix.no-ip.biz
frances.gotdns.ch
hotliksjfu.isa-hockeynut.com
bejnz.com
contas.store
familysinaloa.website
pgs99.online
contratakpuma.duckdns.org
URLs
http://159.100.18.13/INFB/index14.php
http://159.100.18.13/ps/index14.php
http://159.100.18.13/ps1/index14.php
http://159.100.18.13/ldht/index26.php
http://181.214.48.57/coder/registra.php
http://3.145.213.63/contador/serv.php
http://86.38.217.167/ps1/index.php
http://86.38.217.167/ps/index.php
http://86.38.217.167/09/index.php
http://172.233.14.110/webmasterfox/registra.php
http://172.233.14.110/ninho/ybnzkvj.php
http://107.175.70.216/greelo/ybnzkvj.php
http://54.39.10.86/c/serv.php
http://86.38.217.167/relat/index.php
http://86.38.217.167/13/index.php
http://86.38.217.167/ld/index.php
http://86.38.217.167/vth/vth
http://adbd.tech/26/index.php
http://86.38.217.167/07/index.php
http://86.38.217.167/21/index.php
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 53
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 559
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1430
comments 0

What is Metamorfo malware?

Metamorfo, also known as Casbaneiro, is a trojan malware family used for exfiltrating financial information. The operators behind the malicious software spread it primarily via phishing campaigns. While initially, users living in Brazil were the core victims of the malware, the attackers later expanded the list of targeted countries.

Keylogging serves as the main method of collecting information from the infected devices. To facilitate the process, Metamorfo can display fake bank forms requesting users’ credentials. At the same time, the malware can also be employed to steal other sensitive data, as well as take screenshots.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Metamorfo malicious software

One of the ways Metamorfo manages to collect users’ login banking info is by first killing all the browser processes and then modifying the registry to disable auto-complete and auto-suggest. This is done to force the user to enter their login and other form details manually, allowing Metamorfo’s keylogging capability to record the keys they press.

Metamorfo also can scan the clipboard and replace any saved crypto wallet address with that of the attacker. As a result, victims may unknowingly send their funds to criminals.

On top of that, the malware can search for certain files on the infected device using specific keywords and exfiltrate them to the attacker. Metamorfo can also download additional files from its C2, meaning that it can update itself and install other malicious software.

Many attacks involving the malware have been observed to implement DLL hijacking. This technique enables Metamorfo to run its code with the help of legitimate processes, which allows it to stay undetected by traditional security solutions.

The malware can also display fake security pop-ups of popular Brazilian banks, informing the users that their account has been compromised. The next window then requests the victim to share their login credentials.

Metamorfo gains persistence on the system by creating a task that launches the malware at every new startup.

Execution process of Metamorfo

Let’s upload a sample of Metamorfo to the ANY.RUN sandbox to explore its execution chain.

This particular Trojan family often employs a deceptive strategy of embedding itself into installers that unsuspecting users download in the hopes of installing legitimate software. Our analyzed sample, also in MSI format, deviates from this common modus operandi by employing more sophisticated installation techniques. Instead of relying on fake installer windows to blend in, it utilizes a combination of a hidden window and the header "Installation Database" to conceal its installation process.

Upon execution, the downloaded sample establishes a connection to a remote server to retrieve the primary payload, Metamorfo. Once Metamorfo is downloaded, it is launched, initiating a series of malicious activities. These activities include creating a file in the startup directory to ensure its persistent operation and, to evade detection, subsequently removing this file from the startup registry.

Once established, the dropped file, SlimBoat, takes center stage, orchestrating a coordinated attack on the compromised system. It loads additional modules, establishes a connection to the remote server, and embarks on the primary objective of exfiltrating sensitive information.

Metamorfo process tree shown in ANY.RUN Metamorfo's process tree demonstrated in ANY.RUN

Distribution methods of the Metamorfo malware

Similar to other trojan malware families like Agent Tesla and Remcos, Metamorfo is distributed using phishing emails with malicious attachments in the form of archives with an .MSI file inside and PDFs. In some attacks, criminals also send links. The subject of the email usually concerns finance, asking the recipient to conduct an invoice payment.

Conclusion

Despite being active since 2018, Metamorfo continues to pose a major threat to users in Brazil and other countries, including the United States. Organizations without reliable security measures in place are particularly vulnerable to such attacks. As Metamorfo typically spreads through emails, checking all the incoming files and links should be top priority for organizations that do not wish to fall victim to the malware.

ANY.RUN is a cloud-based malware analysis sandbox that lets you quickly analyze any suspicious file and URL to determine whether it is malicious. The service also generates reports on the threats identified, containing all the necessary intelligence, including indicators of compromise (IOCs).

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

BlackMoon screenshot
BlackMoon
blackmoon
BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
SSLoad screenshot
SSLoad
ssload
SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques.
Read More