Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0455: Metamorfo

Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.[1][2]

EnterpriseS0455MalwareObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Metamorfo matters because ATT&CK describes it as a Windows banking trojan focused on banks and cryptocurrency services in Brazil and Mexico. For leaders, the practical issue is not only malware blocking; the related behaviors include credential and GUI input capture, discovery of users/processes/windows/files, command-and-control, tool transfer, exfiltration over C2, registry modification, DLL injection, and evidence removal. That combination can turn a single infected endpoint into a fraud, credential-theft, and incident-response visibility problem.

Executive priority

Prioritize Metamorfo as a financial-services and digital-asset risk scenario where Windows endpoint visibility, identity protection, fraud response, and SOC/IR readiness intersect. Executives should ask whether endpoints used for banking, treasury, crypto operations, finance administration, or privileged access have sufficient monitoring for credential capture, suspicious scripting, C2 over web-like channels, registry changes, injected processes, and file deletion. The object has no official ATT&CK detection text, so coverage should be proven through local telemetry and control validation rather than assumed from malware signatures alone.

Technical view

ATT&CK lists Metamorfo as Windows malware and relates it to discovery, execution, credential-access/collection, command-and-control, exfiltration, persistence/defense impairment, and stealth techniques. SOC and detection teams should validate behavior-based coverage for Application Window Discovery, System Owner/User Discovery, Process Discovery, System Information Discovery, File and Directory Discovery, Windows Command Shell, Visual Basic, JavaScript, Native API activity, DLL Injection, Keylogging, GUI Input Capture, Modify Registry, Web Protocols C2, Non-Application Layer Protocol C2, Dead Drop Resolver, One-Way Communication, Ingress Tool Transfer, Exfiltration Over C2 Channel, Software Packing, Encrypted/Encoded Files, masquerading by matching legitimate resource names or locations, Indicator Removal, and File Deletion. Because no official detection guidance is provided, detections should be mapped to these related techniques and tested against normal Windows administrative and user activity.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • Script execution telemetry for Windows command shell, Visual Basic, and JavaScript/JScript activity
  • Endpoint file creation, modification, deletion, and packed or encoded file indicators
  • Windows Registry modification events
  • Process injection or DLL load telemetry where available

Detection direction

  • Do not rely only on malware family names or static signatures; ATT&CK relationships show multiple stealth and obfuscation behaviors including packing, encrypted/encoded files, masquerading, and file deletion.
  • Correlate discovery bursts on Windows endpoints with subsequent scripting, registry modification, process injection, external communications, or file transfer activity.
  • Tune command shell, Visual Basic, and JavaScript detections to distinguish normal administration from unusual execution chains, especially when launched from unexpected user contexts or locations.
  • Hunt for suspicious registry changes paired with persistence or defense-impairment context rather than treating all registry activity as equally suspicious.
  • Review web-protocol C2 detections for blind spots involving legitimate external web services, dead drop resolver patterns, and one-way command retrieval.

Mitigation priorities

  • Start with asset and user scoping: identify Windows systems and accounts used for banking, treasury, cryptocurrency services, finance operations, and privileged administration.
  • Harden endpoint prevention and monitoring against suspicious script execution, unauthorized tool transfer, packed or encoded executables, registry modification, and process injection.
  • Restrict and monitor unnecessary scripting and command-shell use where business processes allow, while maintaining exceptions for documented administrative workflows.
  • Strengthen egress controls and proxy/DNS logging for web-protocol communications and access to external services that could be abused for C2 redirection or one-way command retrieval.
  • Use least privilege and identity controls to reduce the value of captured credentials and GUI prompts, particularly for finance and privileged users.
Analyst notes and limits

The supplied ATT&CK description identifies Metamorfo as a Latin-American banking trojan operated by a Brazilian cybercrime group, active since at least April 2018, focused on banks and cryptocurrency services in Brazil and Mexico. The strongest defender value comes from the relationship set: it indicates a Windows malware scenario involving discovery, credential/input capture, execution via shell and scripting, C2, exfiltration, registry modification, DLL injection, obfuscation, masquerading, tool transfer, and cleanup behaviors.

ATT&CK provides no official detection text for this object, no aliases, and no object-level tactics. Some related techniques list broad cross-platform applicability, but the malware object itself is supplied as Windows, so local validation should focus on Windows unless separate evidence supports other platforms. This summary does not establish current activity, customer exposure, specific indicators, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Metamorfo

Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

46 rows
Domain ID Name Relationship / procedure
Enterprise T1059.007 JavaScript Sub-technique

Metamorfo includes payloads written in JavaScript.[1]
Enterprise T1518 Software Discovery

Metamorfo has searched the compromised system for banking applications.CitationFireEye Metamorfo Apr 2018[2]
Enterprise T1056.001 Keylogging Sub-technique

Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.CitationFortinet Metamorfo Feb 2020[2]
Enterprise T1518.001 Security Software Discovery Sub-technique

Metamorfo collects a list of installed antivirus software from the victim’s system.CitationFortinet Metamorfo Feb 2020[2]
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

Metamorfo's C2 communication has been encrypted using OpenSSL.[1]
Enterprise T1071.001 Web Protocols Sub-technique

Metamorfo has used HTTP for C2.[1][2]
Enterprise T1218.007 Msiexec Sub-technique

Metamorfo has used MsiExec.exe to automatically execute files.CitationFortinet Metamorfo Feb 2020[2]
Enterprise T1204.002 Malicious File Sub-technique

Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.CitationFireEye Metamorfo Apr 2018[2]
Enterprise T1055.001 Dynamic-link Library Injection Sub-technique

Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).[1]
Enterprise T1102.001 Dead Drop Resolver Sub-technique

Metamorfo has used YouTube to store and hide C&C server domains.[2]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Metamorfo has encrypted payloads and strings.[1][2]
Enterprise T1106 Native API

Metamorfo has used native WINAPI calls.[1]CitationFortinet Metamorfo Feb 2020
Enterprise T1574.001 DLL Sub-technique

Metamorfo has side-loaded its malicious DLL file.[1]CitationFireEye Metamorfo Apr 2018[2]
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Metamorfo has been delivered to victims via emails with malicious HTML attachments.CitationFireEye Metamorfo Apr 2018[2]
Enterprise T1124 System Time Discovery

Metamorfo uses JavaScript to get the system time.[1]
Enterprise T1095 Non-Application Layer Protocol

Metamorfo has used raw TCP for C2.CitationFireEye Metamorfo Apr 2018
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Metamorfo has configured persistence to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run, Spotify =% APPDATA%\Spotify\Spotify.exe and used .LNK files in the startup folder to achieve persistence.[1]CitationFireEye Metamorfo Apr 2018CitationFortinet Metamorfo Feb 2020[2]
Enterprise T1041 Exfiltration Over C2 Channel

Metamorfo can send the data it collects to the C2 server.[2]
Enterprise T1070 Indicator Removal

Metamorfo has a command to delete a Registry key it uses, \Software\Microsoft\Internet Explorer\notes.CitationFireEye Metamorfo Apr 2018
Enterprise T1056.002 GUI Input Capture Sub-technique

Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.CitationFireEye Metamorfo Apr 2018
Enterprise T1497 Virtualization/Sandbox Evasion

Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution.[1]
Enterprise T1070.004 File Deletion Sub-technique

Metamorfo has deleted itself from the system after execution.[1]CitationFortinet Metamorfo Feb 2020
Enterprise T1112 Modify Registry

Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.[1]CitationFortinet Metamorfo Feb 2020CitationFireEye Metamorfo Apr 2018[2]
Enterprise T1102.003 One-Way Communication Sub-technique

Metamorfo has downloaded a zip file for execution on the system.[1]CitationFireEye Metamorfo Apr 2018CitationFortinet Metamorfo Feb 2020
Enterprise T1119 Automated Collection

Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.CitationFireEye Metamorfo Apr 2018
Enterprise T1571 Non-Standard Port

Metamorfo has communicated with hosts over raw TCP on port 9999.CitationFireEye Metamorfo Apr 2018
Enterprise T1218.005 Mshta Sub-technique

Metamorfo has used mshta.exe to execute a HTA payload.CitationFireEye Metamorfo Apr 2018
Enterprise T1115 Clipboard Data

Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.CitationFortinet Metamorfo Feb 2020[2]
Enterprise T1129 Shared Modules

Metamorfo had used AutoIt to load and execute the DLL payload.CitationFortinet Metamorfo Feb 2020
Enterprise T1082 System Information Discovery

Metamorfo has collected the hostname and operating system version from the compromised host.CitationFireEye Metamorfo Apr 2018CitationFortinet Metamorfo Feb 2020[2]
Enterprise T1565.002 Transmitted Data Manipulation Sub-technique

Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address.CitationFortinet Metamorfo Feb 2020[2]
Enterprise T1113 Screen Capture

Metamorfo can collect screenshots of the victim’s machine.CitationFireEye Metamorfo Apr 2018[2]
Enterprise T1553.002 Code Signing Sub-technique

Metamorfo has digitally signed executables using AVAST Software certificates.[1]
Enterprise T1059.003 Windows Command Shell Sub-technique

Metamorfo has used cmd.exe /c to execute files.[1]
Enterprise T1027.002 Software Packing Sub-technique

Metamorfo has used VMProtect to pack and protect files.CitationFortinet Metamorfo Feb 2020
Enterprise T1685 Disable or Modify Tools

Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.[1]CitationFireEye Metamorfo Apr 2018
Enterprise T1010 Application Window Discovery

Metamorfo can enumerate all windows on the victim’s machine.CitationFireEye Metamorfo Apr 2018CitationFortinet Metamorfo Feb 2020
Enterprise T1033 System Owner/User Discovery

Metamorfo has collected the username from the victim's machine.[2]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.[1][2]
Enterprise T1105 Ingress Tool Transfer

Metamorfo has used MSI files to download additional files to execute.[1]CitationFireEye Metamorfo Apr 2018CitationFortinet Metamorfo Feb 2020[2]
Enterprise T1057 Process Discovery

Metamorfo has performed process name checks and has monitored applications.[1]
Enterprise T1573.001 Symmetric Cryptography Sub-technique

Metamorfo has encrypted C2 commands with AES-256.[2]
Enterprise T1059.005 Visual Basic Sub-technique

Metamorfo has used VBS code on victims’ systems.CitationFireEye Metamorfo Apr 2018
Enterprise T1564.003 Hidden Window Sub-technique

Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.[1]CitationFireEye Metamorfo Apr 2018[2]
Enterprise T1083 File and Directory Discovery

Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.[1]CitationFortinet Metamorfo Feb 2020CitationFireEye Metamorfo Apr 2018
Relationship explorer

All related ATT&CK context

uses · Technique T1059.007: JavaScript Enterprise uses · Technique T1518: Software Discovery Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1218.007: Msiexec Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1055.001: Dynamic-link Library Injection Enterprise uses · Technique T1102.001: Dead Drop Resolver Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1574.001: DLL Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1124: System Time Discovery Enterprise uses · Technique T1095: Non-Application Layer Protocol Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1070: Indicator Removal Enterprise uses · Technique T1056.002: GUI Input Capture Enterprise uses · Technique T1497: Virtualization/Sandbox Evasion Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1102.003: One-Way Communication Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
544ae66f95dc1ef9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle 544ae66f95dc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Medium Metamorfo Apr 2020

    Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.

    Open source URL
  2. [2]
    ESET Casbaneiro Oct 2019

    ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.

    Open source URL
  3. [3]
    Casbaneiro

    (Citation: ESET Casbaneiro Oct 2019)

  4. [4]
    Metamorfo

    (Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019)

  5. [5]
    mitre-attack S0455
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use