Metamorfo MSI Analysis and IOC Extraction

In this blog post, we'll be doing some basic analysis of a Metamorfo MSI package. According to MITRE, Metamorfo is a Latin American banking trojan primarily targeting Brazil and Mexico.

The first thing I did was grab the MSI package and see what tables it contained:

I then dumped the tables to be better able to interact with them and view their contents:

I took a look in the CustomAction table, and that's where I found some obfuscated VB code:

Normally in this instance, I copy the code over to VisualStudio to better interact with it. My goal in doing this isn't necessarily code reversing, but getting an idea of what the code is doing to extract IOCs and disseminate them.

One of the fortunate features of Visual Studio Code is being able to select a code pattern and change all occurrences of it in the code. This is where I choose to name the variables something intuitive, like "WScriptShell" or "HTTPRequest." It helps the analysis go faster and smoother.

In the top line I observed this string, and after a few minutes of reviewing the code, I realized that the domain was actually legible amongst the repeated "cxoby" pattern. I copied the string over to a new file and removed the obfuscation pattern:

At the bottom of the code, with the cleaned up replacements, we see the web request to the deobfuscated domain I identified above, and it pulling down a file and writing it to the user profile pictures folder (C:\Users\USERNAME\Pictures).

IOCs

Domains:

http://plugtree[.]duckdns[.]org/libwinpthread-1.css

File Path:

C:\Users\USERNAME\Pictures (look for .zip files)

Registry Keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

value: 85›ðQc93ay‰§5»MGn‡YIUeh

Directory points to file path above