Author: James Barnett
TLP: WHITE
On 18 August, cybersecurity researchers at Menlo Security reported an ongoing malware campaign that used HTML smuggling techniques to deliver the Metamorfo banking trojan.1
Metamorfo is a banking trojan that attempts to steal sensitive financial information and exfiltrate that data to a command and control (C2) server. What sets Metamorfo apart from other banking trojans is the wide variety of evasive techniques it uses to bypass security mechanisms and deliver its payload without being detected.
The Metamorfo campaign in this report involved malicious links that used embedded JavaScript to construct the initial malware component within the victim’s browser rather than transferring it as a traditional file download. This technique is known as HTML smuggling, and it allows threat actors to bypass security measures that are commonly used to block malicious URLs and file downloads.
While the report did not specify how this campaign distributed its malicious links, Metamorfo has used malicious spam (malspam) as its primary distribution method in previous campaigns.2
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://www.menlosecurity.com/blog/new-attack-alert-duri
- https://www.fortinet.com/blog/threat-research/analysis-metamorfo-variant-targets-financial-organizations
