A new variant of the Metamorfo banking malware is on the loose targeting a wider range of financial institutions than the original version tricking the victims into typing in sensitive information which it then steals.

Fortinet’s FortGuard Labs captured an example of the newest edition noting that unlike its predecessor, which only aimed at Brazilian banks, this model is hitting financial institutions across a wide swath of the globe. These include 20 financial institutions in multiple countries, including the U.S., Canada, Peru, Chile, Spain, Brazil, Ecuador, Mexico, and others.

However, from a technical standpoint Metamorfo 2.0 does share some similarities with the first model.

In both cases an MSI file, an installer package file format used by Windows, is being spread through a ZIP archive and the MSI file is parsed and executed automatically by MsiExec.exe when a user double clicks on it in Windows OS, said FortiGuard analyst Xiaopeng Zhang.

Contained in the payload is a small amount of JavaScript, hidden amongst a great deal of fake JavaScript that is put in just to obfuscate the dangerous code.

This code then downloads a file from he URL “hxxp[:]//www[.]chmsc[.]edu[.]ph/library/modules/down/op57.lts. This is in fact a ZIP file that itself contains three additional files. These are all decompressed and renamed with random strings.

The three then executed and also added to the auto-run group in the system registry so they run automatically whenever the system is restarted.

When running its first step is to kill Microsoft IE, Mozilla Firefox, Google Chrome, Microsoft Edge and Opera along with the auto-fill functionality that most people have activated.

This last maneuver is the key to what Metamorfo’s malicious function.

“This action forces the victim to hand-enter data without auto-complete, such as whole URLs, along with login-name, password, and so on in the browser. This allows the malware’s key logger function to record the largest number of actions from the victim’s input,” Zhang said.

The malware also collects OS version, computer name and installed AV software and then sends a note to its command and control server informing it that another computer has been infected.

The malware also checks the computer to see if it has a bitcoin wallet and if so overwrites the address of the rightful owner with that of the criminal actors thus the victim will unknowingly transfer money to their attacker.