A new malware is spreading among online banking users, stealing their passwords by disabling any autofill functions their devices might have and forcing them to manually retype their passwords as the malware copies the data.
The Metamorfo trojan malware has targeted the users of more than 20 banks across the globe, in countries such as the US, Canada, Peru, Chile, Spain, Brazil, Ecuador and Mexico. ZDNet reported that the attacks were first reported in Brazil, but have since spread to other online bank users.
Citing an analysis by cybersecurity researchers at Fortinet, ZDNet said that the Metamorfo malware installs itself into devices through phishing emails. The emails claim to have information about an invoice, inviting the victim to download and run a ZIP file which contains the malware.
Once the malware is installed in a device, it then checks to see if it is running in a virtual environment or sandbox. After confirming that it is not installed in either, Metamorfo then runs an Autolt script execution program to bypass antivirus detection. Autolt is a scripting language designed to automate the Windows graphical user interface, hence it does not trigger any antivirus warnings.
Metamorfo then terminates any running browsers and prevents any new browser windows from using auto-complete and auto-suggest features in data entry fields. This means the user is forced to manually input their passwords, allowing the malware’s keylogger functionality to collect the data. The data is then sent back to a server run by the hackers.
Fortinet researchers warned that Metamorfo even has a function that tracks the use of 32 keywords associated with the targeted banks. It is speculated that this tracking allows the hackers to be alerted in real time as to when the victim is trying to access online banking services.
The researchers have yet to reveal the keywords or the names of the banks being targeted, ZDNet reported, as the malware campaign is likely ongoing and the hackers could change their angle of attack.