S0455: Metamorfo
Analyst context for executives and security teams
Metamorfo matters because ATT&CK describes it as a Windows banking trojan focused on banks and cryptocurrency services in Brazil and Mexico. For leaders, the practical issue is not only malware blocking; the related behaviors include credential and GUI input capture, discovery of users/processes/windows/files, command-and-control, tool transfer, exfiltration over C2, registry modification, DLL injection, and evidence removal. That combination can turn a single infected endpoint into a fraud, credential-theft, and incident-response visibility problem.
Executive priority
Prioritize Metamorfo as a financial-services and digital-asset risk scenario where Windows endpoint visibility, identity protection, fraud response, and SOC/IR readiness intersect. Executives should ask whether endpoints used for banking, treasury, crypto operations, finance administration, or privileged access have sufficient monitoring for credential capture, suspicious scripting, C2 over web-like channels, registry changes, injected processes, and file deletion. The object has no official ATT&CK detection text, so coverage should be proven through local telemetry and control validation rather than assumed from malware signatures alone.
Technical view
ATT&CK lists Metamorfo as Windows malware and relates it to discovery, execution, credential-access/collection, command-and-control, exfiltration, persistence/defense impairment, and stealth techniques. SOC and detection teams should validate behavior-based coverage for Application Window Discovery, System Owner/User Discovery, Process Discovery, System Information Discovery, File and Directory Discovery, Windows Command Shell, Visual Basic, JavaScript, Native API activity, DLL Injection, Keylogging, GUI Input Capture, Modify Registry, Web Protocols C2, Non-Application Layer Protocol C2, Dead Drop Resolver, One-Way Communication, Ingress Tool Transfer, Exfiltration Over C2 Channel, Software Packing, Encrypted/Encoded Files, masquerading by matching legitimate resource names or locations, Indicator Removal, and File Deletion. Because no official detection guidance is provided, detections should be mapped to these related techniques and tested against normal Windows administrative and user activity.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Script execution telemetry for Windows command shell, Visual Basic, and JavaScript/JScript activity
- Endpoint file creation, modification, deletion, and packed or encoded file indicators
- Windows Registry modification events
- Process injection or DLL load telemetry where available
Detection direction
- Do not rely only on malware family names or static signatures; ATT&CK relationships show multiple stealth and obfuscation behaviors including packing, encrypted/encoded files, masquerading, and file deletion.
- Correlate discovery bursts on Windows endpoints with subsequent scripting, registry modification, process injection, external communications, or file transfer activity.
- Tune command shell, Visual Basic, and JavaScript detections to distinguish normal administration from unusual execution chains, especially when launched from unexpected user contexts or locations.
- Hunt for suspicious registry changes paired with persistence or defense-impairment context rather than treating all registry activity as equally suspicious.
- Review web-protocol C2 detections for blind spots involving legitimate external web services, dead drop resolver patterns, and one-way command retrieval.
Mitigation priorities
- Start with asset and user scoping: identify Windows systems and accounts used for banking, treasury, cryptocurrency services, finance operations, and privileged administration.
- Harden endpoint prevention and monitoring against suspicious script execution, unauthorized tool transfer, packed or encoded executables, registry modification, and process injection.
- Restrict and monitor unnecessary scripting and command-shell use where business processes allow, while maintaining exceptions for documented administrative workflows.
- Strengthen egress controls and proxy/DNS logging for web-protocol communications and access to external services that could be abused for C2 redirection or one-way command retrieval.
- Use least privilege and identity controls to reduce the value of captured credentials and GUI prompts, particularly for finance and privileged users.
Analyst notes and limits
The supplied ATT&CK description identifies Metamorfo as a Latin-American banking trojan operated by a Brazilian cybercrime group, active since at least April 2018, focused on banks and cryptocurrency services in Brazil and Mexico. The strongest defender value comes from the relationship set: it indicates a Windows malware scenario involving discovery, credential/input capture, execution via shell and scripting, C2, exfiltration, registry modification, DLL injection, obfuscation, masquerading, tool transfer, and cleanup behaviors.
ATT&CK provides no official detection text for this object, no aliases, and no object-level tactics. Some related techniques list broad cross-platform applicability, but the malware object itself is supplied as Windows, so local validation should focus on Windows unless separate evidence supports other platforms. This summary does not establish current activity, customer exposure, specific indicators, or guaranteed detection coverage.
Metamorfo
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.007 | JavaScript Sub-technique | Metamorfo includes payloads written in JavaScript.CitationMedium Metamorfo Apr 2020 |
| Enterprise | T1518 | Software Discovery | Metamorfo has searched the compromised system for banking applications.CitationFireEye Metamorfo Apr 2018CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.CitationFortinet Metamorfo Feb 2020CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Metamorfo collects a list of installed antivirus software from the victim’s system.CitationFortinet Metamorfo Feb 2020CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Metamorfo's C2 communication has been encrypted using OpenSSL.CitationMedium Metamorfo Apr 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Metamorfo has used HTTP for C2.CitationMedium Metamorfo Apr 2020CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1218.007 | Msiexec Sub-technique | Metamorfo has used MsiExec.exe to automatically execute files.CitationFortinet Metamorfo Feb 2020CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.CitationFireEye Metamorfo Apr 2018CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).CitationMedium Metamorfo Apr 2020 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | Metamorfo has used YouTube to store and hide C&C server domains.CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Metamorfo has encrypted payloads and strings.CitationMedium Metamorfo Apr 2020CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1106 | Native API | Metamorfo has used native WINAPI calls.CitationMedium Metamorfo Apr 2020CitationFortinet Metamorfo Feb 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | Metamorfo has side-loaded its malicious DLL file.CitationMedium Metamorfo Apr 2020CitationFireEye Metamorfo Apr 2018CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Metamorfo has been delivered to victims via emails with malicious HTML attachments.CitationFireEye Metamorfo Apr 2018CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1124 | System Time Discovery | Metamorfo uses JavaScript to get the system time.CitationMedium Metamorfo Apr 2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | Metamorfo has used raw TCP for C2.CitationFireEye Metamorfo Apr 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Metamorfo has configured persistence to the Registry key |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Metamorfo can send the data it collects to the C2 server.CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1070 | Indicator Removal | Metamorfo has a command to delete a Registry key it uses, |
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.CitationFireEye Metamorfo Apr 2018 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution.CitationMedium Metamorfo Apr 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Metamorfo has deleted itself from the system after execution.CitationMedium Metamorfo Apr 2020CitationFortinet Metamorfo Feb 2020 |
| Enterprise | T1112 | Modify Registry | Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.CitationMedium Metamorfo Apr 2020CitationFortinet Metamorfo Feb 2020CitationFireEye Metamorfo Apr 2018CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1102.003 | One-Way Communication Sub-technique | Metamorfo has downloaded a zip file for execution on the system.CitationMedium Metamorfo Apr 2020CitationFireEye Metamorfo Apr 2018CitationFortinet Metamorfo Feb 2020 |
| Enterprise | T1119 | Automated Collection | Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.CitationFireEye Metamorfo Apr 2018 |
| Enterprise | T1571 | Non-Standard Port | Metamorfo has communicated with hosts over raw TCP on port 9999.CitationFireEye Metamorfo Apr 2018 |
| Enterprise | T1218.005 | Mshta Sub-technique | Metamorfo has used mshta.exe to execute a HTA payload.CitationFireEye Metamorfo Apr 2018 |
| Enterprise | T1115 | Clipboard Data | Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.CitationFortinet Metamorfo Feb 2020CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1129 | Shared Modules | Metamorfo had used AutoIt to load and execute the DLL payload.CitationFortinet Metamorfo Feb 2020 |
| Enterprise | T1082 | System Information Discovery | Metamorfo has collected the hostname and operating system version from the compromised host.CitationFireEye Metamorfo Apr 2018CitationFortinet Metamorfo Feb 2020CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1565.002 | Transmitted Data Manipulation Sub-technique | Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address.CitationFortinet Metamorfo Feb 2020CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1113 | Screen Capture | Metamorfo can collect screenshots of the victim’s machine.CitationFireEye Metamorfo Apr 2018CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Metamorfo has digitally signed executables using AVAST Software certificates.CitationMedium Metamorfo Apr 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Metamorfo has used |
| Enterprise | T1027.002 | Software Packing Sub-technique | Metamorfo has used VMProtect to pack and protect files.CitationFortinet Metamorfo Feb 2020 |
| Enterprise | T1685 | Disable or Modify Tools | Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.CitationMedium Metamorfo Apr 2020CitationFireEye Metamorfo Apr 2018 |
| Enterprise | T1010 | Application Window Discovery | Metamorfo can enumerate all windows on the victim’s machine.CitationFireEye Metamorfo Apr 2018CitationFortinet Metamorfo Feb 2020 |
| Enterprise | T1033 | System Owner/User Discovery | Metamorfo has collected the username from the victim's machine.CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.CitationMedium Metamorfo Apr 2020CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | Metamorfo has used MSI files to download additional files to execute.CitationMedium Metamorfo Apr 2020CitationFireEye Metamorfo Apr 2018CitationFortinet Metamorfo Feb 2020CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1057 | Process Discovery | Metamorfo has performed process name checks and has monitored applications.CitationMedium Metamorfo Apr 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Metamorfo has encrypted C2 commands with AES-256.CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Metamorfo has used VBS code on victims’ systems.CitationFireEye Metamorfo Apr 2018 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.CitationMedium Metamorfo Apr 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.CitationMedium Metamorfo Apr 2020CitationFireEye Metamorfo Apr 2018CitationESET Casbaneiro Oct 2019 |
| Enterprise | T1083 | File and Directory Discovery | Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.CitationMedium Metamorfo Apr 2020CitationFortinet Metamorfo Feb 2020CitationFireEye Metamorfo Apr 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 544ae66f95dc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Medium Metamorfo Apr 2020
Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
Open source URL -
[2]
ESET Casbaneiro Oct 2019
ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
Open source URL -
[3]
Casbaneiro
(Citation: ESET Casbaneiro Oct 2019)
-
[4]
Metamorfo
(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019)
-
[5]
mitre-attack S0455Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.