This news is from researchers at Fortinet, who report that the malicious code has recently gotten some upgrades that make it particularly nasty.
Like many similar programs, this one finds its way onto target machines by way of phishing emails. In this case, the vehicle of choice seems to be emails that claim to have an invoice attached in the form of a Microsoft Word document.
If a user receives this email and opens the ‘invoice’ he or she will be informed that the message cannot be properly displayed without enabling macros. Of course, enabling macros is the mechanism that allows Metamorfo to be installed on the target device.
Once installed, the malicious code will first check to be sure it’s not running in a sandbox or virtual environment. Once it has confirmation that it is not, it will run its Autolt script execution program, which it uses to evade detection by antivirus programs that may be running on the target system.
Safe from detection, it will then shut down any browser sessions that may be running and prevent any new browser windows from using the auto-complete function when entering passwords. It then begins prompting the users to manually enter their passwords. When they do, the keystrokes are mapped and sent to a command and control server that the hackers control. It’s a fiendishly clever way of making sure the hackers harvest as much password information as possible from each system they infect.
Be very wary of opening attachments from any unknown and untrusted source and make sure all your systems are fully patched and up to date. It’s not a perfect solution, but it will certainly minimize your risk.