We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win64/Metasploit.CRTD!MTB
Aliases: No associated aliases
Summary
Trojan:Win64/Metasploit.CRTD!MTB is a 64-bit Windows binary derived from Meterpreter, a component of the Metasploit penetration testing framework. Threat actors weaponize this tool to establish unauthorized remote access on compromised devices. The trojan operates by initiating an outbound connection to a command-and-control (C2) server, which grants them the ability to launch commands, survey device activity, and exfiltrate sensitive data. It employs in-memory installation to avoid writing files to the disk, evading traditional file-based detection. Its versatility allows it to be used for information harvesting, covert surveillance, or deploying additional payloads such as ransomware, which can lead to outcomes ranging from data breaches to complete system incapacitation. Infection occurs through application vulnerabilities, such as those in Microsoft Office, or via phishing campaigns, often exploiting unpatched software. While heuristic detection can identify this threat, IT security teams should treat any Metasploit-based infection as a severe incident requiring immediate remediation.
The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the "Metasploit" family.
- Disconnect the compromised device from all networks (both wired and Wi-Fi) as soon as possible. This severs the threat actor’s remote connection and prevents further data exfiltration.
- Use system utilities like Task Manager or Process Explorer to inspect startup entries, scheduled tasks, and running processes for any malicious components that may have established persistence.
- Update passwords for all user and administrative accounts on the affected device, as well as for any online services that were accessed from it, as login credentials could have been stolen.
- Review bank, email, and other critical accounts for any unusual actions that indicate unauthorized access resulting from the infection.
- If the scope of the intrusion is uncertain, restore Windows from a known-clean, verified backup. Ensure the backup is scanned for malware before restoration to avoid reinfection.
- For a manual response on Windows, boot the system into Safe Mode, activate the viewing of hidden files and folders, and proceed to identify and remove all suspicious files and registry entries before performing a final reboot and verification scan.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
