Metamorfo Banking Trojan spotted using Avast Utility


The SonicWall Capture Labs Threat Research Team has spotted Metamorfo malware known to distribute banking Trojans using a legitimate tool by Avast, a popular security product. The malware arrives as a seemingly harmless Adobe installer and to evade detection it uses a renamed copy of the Avast memory dumping tool to load its malicious components.

Infection cycle:

The Trojan arrives as a windows installer database, MSI file.

It uses the following file properties pretending to be an Adobe Acrobat Reader installer.


Upon execution, it displays a fake splash window that makes the victim believe that Adobe Reader is being installed.

This installer has an embedded objuscated javascript code that when decoded reveals its intention.

It downloads a fake image file, with a PNG extension  which is in fact a ZIP archive containing additional components.

The archive is then unpacked into the %APPDATA% directory  which contains the following files:

  • %APPDATA%/yDnKLM.exe – non-malicious renamed AVDump32.exe utility from Avast
  • %APPDATA%/yDnKLM.dmp – malicious file detected as GAV: Metamorfo.BZ_2 (Trojan)
  • %APPDATA%/dbghelp.dll – malicious file detected as GAV: Metamorfo.BZ_ (Trojan)
  • %APPDATA%/ ssleay64.dll – malicious file detected as GAV: Metamorfo.BZ_3 (Trojan)
  • %APPDATA%/borlndmm.dll – non-malicious Borland Memory Manager library
  • %APPDATA%/libeay32.dll – non-malicious OpenSSL library
  • %APPDATA%/ ssleay32.dll – non-malicious OpenSSL library

The installer will then invoke a system reboot. Upon successful reboot it launches the legitimate Avast file to load the malicious dbghelp.dll library and then subsequently loads another non-malicious program, windows media player to load the malicious .dmp file.

The malicious files have the ability to steal user information by accessing computer name and keystrokes and to connect to a remote server, submit files, invoke mouse clicks, execute commands.

During our analysis the malicious ssleay64.dll was not loaded.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Metamorfo.BZ_4(Trojan)
  • GAV: Metamorfo.BZ_5(Trojan)
  • GAV: Metamorfo.BZ_6 (Trojan)
  • GAV: Downloader.MSI (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.