Metamorfo
Associated Software Descriptions
| Name | Description |
|---|---|
| Casbaneiro |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.[1][2] |
| Enterprise | T1112 | 修改注册表 |
Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.[1][3][4][2] |
|
| Enterprise | T1129 | 共享模块 |
Metamorfo had used AutoIt to load and execute the DLL payload.[3] |
|
| Enterprise | T1115 | 剪贴板数据 |
Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.[3][2] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| .002 | 加密通道: Asymmetric Cryptography |
Metamorfo's C2 communication has been encrypted using OpenSSL.[1] |
||
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading | |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.[1][4][2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Metamorfo has configured persistence to the Registry key |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| .005 | 命令与脚本解释器: Visual Basic | |||
| .007 | 命令与脚本解释器: JavaScript | |||
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.[1][4] |
| Enterprise | T1113 | 屏幕捕获 |
Metamorfo can collect screenshots of the victim’s machine.[4][2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1010 | 应用窗口发现 |
Metamorfo can enumerate all windows on the victim’s machine.[4][3] |
|
| Enterprise | T1565 | .002 | 数据操控: Transmitted Data Manipulation |
Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address.[3][2] |
| Enterprise | T1083 | 文件和目录发现 |
Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.[1][3][4] |
|
| Enterprise | T1106 | 本机API | ||
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing | |
| .013 | 混淆文件或信息: Encrypted/Encoded File | |||
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.[4][2] |
| Enterprise | T1070 | 移除指标 |
Metamorfo has a command to delete a Registry key it uses, |
|
| .004 | File Deletion |
Metamorfo has deleted itself from the system after execution.[1][3] |
||
| Enterprise | T1218 | .005 | 系统二进制代理执行: Mshta | |
| .007 | 系统二进制代理执行: Msiexec |
Metamorfo has used MsiExec.exe to automatically execute files.[3][2] |
||
| Enterprise | T1082 | 系统信息发现 |
Metamorfo has collected the hostname and operating system version from the compromised host.[4][3][2] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Metamorfo has collected the username from the victim's machine.[2] |
|
| Enterprise | T1124 | 系统时间发现 | ||
| Enterprise | T1102 | .001 | 网络服务: Dead Drop Resolver |
Metamorfo has used YouTube to store and hide C&C server domains.[2] |
| .003 | 网络服务: One-Way Communication |
Metamorfo has downloaded a zip file for execution on the system.[1][4][3] |
||
| Enterprise | T1119 | 自动化收集 |
Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.[4] |
|
| Enterprise | T1497 | 虚拟化/沙盒规避 |
Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution.[1] |
|
| Enterprise | T1518 | 软件发现 |
Metamorfo has searched the compromised system for banking applications.[4][2] |
|
| .001 | Security Software Discovery |
Metamorfo collects a list of installed antivirus software from the victim’s system.[3][2] |
||
| Enterprise | T1105 | 输入工具传输 |
Metamorfo has used MSI files to download additional files to execute.[1][4][3][2] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.[3][2] |
| .002 | 输入捕获: GUI Input Capture |
Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.[4] |
||
| Enterprise | T1057 | 进程发现 |
Metamorfo has performed process name checks and has monitored applications.[1] |
|
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).[1] |
| Enterprise | T1041 | 通过C2信道渗出 |
Metamorfo can send the data it collects to the C2 server.[2] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Metamorfo has been delivered to victims via emails with malicious HTML attachments.[4][2] |
| Enterprise | T1564 | .003 | 隐藏伪装: Hidden Window |
Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.[1] |
| Enterprise | T1095 | 非应用层协议 | ||
| Enterprise | T1571 | 非标准端口 |
Metamorfo has communicated with hosts over raw TCP on port 9999.[4] |
|
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
Metamorfo has digitally signed executables using AVAST Software certificates.[1] |