{"description": "Enterprise techniques used by Metamorfo, ATT&CK software S0455 (v2.1)", "name": "Metamorfo (S0455)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has used HTTP for C2.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) can enumerate all windows on the victim\u2019s machine.(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1119", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.(Citation: FireEye Metamorfo Apr 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has configured persistence to the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, Spotify =% APPDATA%\\Spotify\\Spotify.exe and used .LNK files in the startup folder to achieve persistence.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has used cmd.exe /c to execute files.(Citation: Medium Metamorfo Apr 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has used VBS code on victims\u2019 systems.(Citation: FireEye Metamorfo Apr 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) includes payloads written in JavaScript.(Citation: Medium Metamorfo Apr 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1565", "showSubtechniques": true}, {"techniqueID": "T1565.002", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "Upon execution, [Metamorfo](https://attack.mitre.org/software/S0455) has unzipped itself after being downloaded to the system and has performed string decryption.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has encrypted C2 commands with AES-256.(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455)'s C2 communication has been encrypted using OpenSSL.(Citation: Medium Metamorfo Apr 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) can send the data it collects to the C2 server.(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)(Citation: FireEye Metamorfo Apr 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has hidden its GUI using the ShowWindow() WINAPI call.(Citation: Medium Metamorfo Apr 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has side-loaded its malicious DLL file.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has a function to kill processes associated with defenses and can prevent certain processes from launching.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has a command to delete a Registry key it uses, \\Software\\Microsoft\\Internet Explorer\\notes.(Citation: FireEye Metamorfo Apr 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has deleted itself from the system after execution.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has used MSI files to download additional files to execute.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has a command to launch a keylogger and capture keystrokes on the victim\u2019s machine.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056.002", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has displayed fake forms on top of banking sites to intercept credentials from victims.(Citation: FireEye Metamorfo Apr 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has used native WINAPI calls.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has used raw TCP for C2.(Citation: FireEye Metamorfo Apr 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has communicated with hosts over raw TCP on port 9999.(Citation: FireEye Metamorfo Apr 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has used VMProtect to pack and protect files.(Citation: Fortinet Metamorfo Feb 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has encrypted payloads and strings.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has been delivered to victims via emails with malicious HTML attachments.(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has performed process name checks and has monitored applications.(Citation: Medium Metamorfo Apr 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).(Citation: Medium Metamorfo Apr 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) can collect screenshots of the victim\u2019s machine.(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1129", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) had used AutoIt to load and execute the DLL payload.(Citation: Fortinet Metamorfo Feb 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has searched the compromised system for banking applications.(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) collects a list of installed antivirus software from the victim\u2019s system.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has digitally signed executables using AVAST Software certificates.(Citation: Medium Metamorfo Apr 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.005", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has used mshta.exe to execute a HTA payload.(Citation: FireEye Metamorfo Apr 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has used MsiExec.exe to automatically execute files.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has collected the hostname and operating system version from the compromised host.(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has collected the username from the victim's machine.(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) uses JavaScript to get the system time.(Citation: Medium Metamorfo Apr 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has embedded a \"vmdetect.exe\" executable to identify virtual machines at the beginning of execution.(Citation: Medium Metamorfo Apr 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.001", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has used YouTube to store and hide C&C server domains.(Citation: ESET Casbaneiro Oct 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102.003", "comment": "[Metamorfo](https://attack.mitre.org/software/S0455) has downloaded a zip file for execution on the system.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Metamorfo", "color": "#66b1ff"}]}