Metamorfo Banking Trojan Reappears to Steal your Credentials with Keylogger.

By Brandon Chun on February 28, 2020

What is it? Banking Trojan 

Dubbed as? Metamorfo


According to Threatpost, Metamorfo, a banking trojan malware known for targeting Brazilian companies back in 2018 is now expanding to other countries, and is targeting online banking users across the world. This includes countries like the United States, Canada, Peru, Chile, Brazil, Spain, Mexico, and Ecuador. This banking trojan malware makes users re-enter their banking login credentials so hackers (attackers) can steal them. The goal of this malware is to steal and harvest login credentials, finances, credit payment card information, financial institutions, and other personal information from users.


Negative outcome of Metamorfo infection includes:

  • Disruption in operations
  • Temporary or permanent loss of sensitive or proprietary information
  • Stolen credit card information
  • Stolen user’s login credentials
  • Stolen or loss of personal information
  • Potential loss or harm to an organization’s reputation

How does Metamorfo work?

First, Metamorfo was delivered by phishing emails, a type of social engineering attack. The phishing emails declares that they carry information about an invoice and asks the user (victim) to download a malicious ZIP file. By downloading and running the ZIP file, the Metamorfo trojan malware will execute on the user’s Windows operating system. Then after installing the ZIP file, Metamorfo will check to see whether it is running on a virtual environment or sandbox and if it is, it will not perform any actions. However, on the other hand, when Metamorfo is not running on a virtual environment or sandbox, it runs an AutoIT script that will close any browsers that are running and erase the auto-complete (a feature where an application can predict the word a user type within the input box), and auto-suggest within the browsers of Google Chrome, Mozilla Firefox, Internet Explorer, MS Edge, or Opera browser. 

By terminating the browsers, it forces users to restart them. Users will not be able to enter usernames, passwords, and other information. Therefore, users are unable to login to their online banking service until they retype their passwords. Then when users retype their login credentials or information, the keylogging function will record all keystrokes of the user typing and the information gets sent back to the attacker’s remote command and control server. Once the attacker obtains the user’s information, the attacker can now do whatever they want with the user’s information. 

According to a threat analysis researcher from Fortinet, the assembly language (ASM) code calls a function to decrypt the process name strings and then calls the function_TerminateProcess() to kill all the matched processes from the process list. It will also modify a couple registry keys so that it can disable the Internet Explorer (IE) browser’s function of auto-complete and auto-suggest. Additionally, the keys that are disabled are: “Use FormSuggest”, “FormSuggest Passwords”, “FormSuggest PW Ask” under the sub-key “HKCU\Software\Microsoft\Internet Explorer\Main”,  and “AutoSuggest” under the sub-key “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete”. Refer to [2] for the assembly language image.

Researcher from Fortinet also mentions that, when Metamorfo is running on the infected machine, it will send a POST packet to the command and control server informing the attacker that the user’s machine has been infected. The Wireshark packet contains the victim’s operating system and once you decrypt the base64, you will be able to see the the operating system version, computer name, installed antivirus software. This also includes the version information of Metamorfo. Refer to [2] for the Wireshark POST packet and the data after base64 is decrypted.

Once the connection is established with the Command and Control server, the Metamorfo variant supports 119 controls commands. Refer to [2] to see the 119 controls commands and the table that lists most of the control commands along with the description of it. From there, you will be able to find what actions the Metamorfo variant can perform on the victim’s machine. 

Mitigations and best practices: 

  • Do not click on links, open any attachments, or provide any sensitive information from a suspicious looking email or text message. 
  • Humans are the weakest links. Train users to be educated and be aware of social engineering attacks like phishing, spear phishing, vishing, and others. This includes staying up to date with the latest vulnerabilities and malware that are happening.
  • Avoid sending money to anyone you are not familiar with or cannot verify as a legitimate company.
  • Block email attachments that are often linked with malware, like .dll and .exe. 
  • Block email attachments that antivirus software cannot scan such as .zip files. 
  • Update operating systems and antimalware and antivirus software to have the latest signatures of the malware. 
  • Banks will never send you an email or call you on the phone asking you to disclose any personal information such as password, credit or debit card number.


The Products/Tools provided below are not limited to this. There are many different types of products and tools out there. It is up to users to decide which products and tools will benefit them and their organization. 

  • Cisco Advanced Malware Protection (AMP) for Email Security: This product can “analyze emails for threats such as zero-day exploits that are hidden in malicious attachments. It gives you advanced protection against spear phishing, ransomware, and other sophisticated attacks.” 
  • Cisco Web Security Appliances (WSA): “protects you by automatically blocking risky sites and testing unknown sites first before allowing users link to them.” 
  • Mimecast’s Advanced Email Security With Targeted Threat Protection: protects and keeps your email safe. It can also help “defend against inbound spear-phishing, malware, spam, and zero-day attacks by combining innovative applications and policies with multiple detection engines and intelligence feeds.” They also offer protection for Uniform Resource Locator (URL), attachment, impersonation, and internal email. 

Note: The purpose of the section Products/Tools is to not advertise or sell any products or services. I am just providing the types of products and tools that are out there so users or consumers can take into consideration whether to use them or not. These products can help enhance security and can add another layer of protection.


[1] Zdnet, “This crafty malware makes you retype your passwords so it can steal them.” Retrieved 07 Feb 2020. Retrieved from  

[2] Fortinet, “Another metamorfo Variant Targeting Customers of Financial Institutions in More Countries.” Retrieved 04 Feb 2020. Retrieved from

[3] Threatpost, “Metamorfo Returns with Keylogger Trick to Target Financial Firms.” Retrieved 06 Feb 2020. Retrieved from

[4] SCMagazine, “Metamorfo banking malware spreads around the world.” Retrieved 07 Feb 2020. Retrieved from

[5] Cisco, “Advanced Malware Protection for Email Security.” Retrieved 12 Feb 2020. Retrieved from

[6] Cisco, “Cisco Web Security.” Retrieved 12 Feb 2020. Retrieved from

[7] Mimecast, “Email Security With Targeted Threat Protection.” Retrieved 12 Feb 2020. Retrieved from