Recently, a new command-and-control platform known as Matrix Push C2 has burst onto the cybersecurity scene. Criminals mostly use it to conduct account takeover phishing attacks. It distributes harmful links through web push notifications that impersonate legitimate notifications from your operating system or browser. The development of Matrix Push C2 is indicative of a growing popular trend among threat actors. Now, they’re using purposefully manipulative social engineering craft to trick users into giving up potentially damaging information.
Matrix Push C2 is advertised as malware-as-a-service (MaaS) kit. This lowers barriers for many different types of threat actors to easily take advantage of unsuspecting victims. By leveraging trusted branding and familiar logos, it enhances its deceitful messaging, making it difficult for users to differentiate between genuine notifications and malicious ones.
The Mechanics of Matrix Push C2
Web push notifications are the means Matrix Push C2 uses to deliver its phishing attacks. These alerts have an alluring quality. They are designed to look like communications from widely used services such as MetaMask, Netflix, Cloudflare, PayPal, and TikTok.
The platform uses notification verification templates associated with these brands worthy of trust to reinforce its credibility. Users are then presented with warnings that look very much like real warnings issued by their OS or browsers. This similarity greatly increases the chances that they will be duped by the scam.
“The core of the attack is social engineering, and Matrix Push C2 comes loaded with configurable templates to maximize the credibility of its fake messages,” – Robb
The approach taken by Matrix Push C2 highlights an alarming shift in how attackers gain initial access to their targets. As noted by BlackFog, “Matrix Push C2 shows us a shift in how attackers gain initial access and attempt to exploit users.” Threat actors don’t require this specific platform to first compromise the victim’s system. One of the most powerful elements of the tool from a cybercriminal’s perspective is that it runs entirely through the browser.
Social Engineering Tactics Employed
The platform’s operators craft convincing messages designed to engage users’ emotions and prompt immediate action. This strategy is designed to exploit human psychology to increase the chances that users click on malicious links. It tries to intimidate them into providing highly sensitive personal information.
Brenda Robb elaborates on the potential ramifications of these attacks, stating, “They might deliver additional phishing messages to steal credentials, trick the user into installing a more persistent malware, or even leverage browser exploits to get deeper control of the system.” The overarching goal remains constant: to extract valuable data or monetize access through methods such as draining cryptocurrency wallets or exfiltrating personal information.
Additionally, because of the flexibility of Matrix Push C2, it’s very easy for attackers to further customize their phishing notifications and landing page. This flexibility makes it possible for them to continue running scams that look like messages from your email providers, banks, credit cards and more.
“Attackers can easily theme their phishing notifications and landing pages to impersonate well-known companies and services,” – Robb
Accessibility and User Interaction
The accessibility of Matrix Push C2 as a malware-as-a-service kit should raise major red flags for cybersecurity professionals. Moreover, payments for access can be made in cryptocurrency, which is itself a currency that can allow transactions to be anonymous at best. This anonymity allows an increasingly diverse group of actors — including those with little technical expertise — to participate in cybercriminal undertakings.
Dr. Darren Williams notes that “payments are accepted in cryptocurrency, and buyers communicate directly with the operator for access.” This unfiltered mode of communication helps support a dark web bazaar since no special expertise is required to obtain nefarious instruments.
Since its emergence in mid-October 2023, Matrix Push C2 has been spotted in several phishing campaigns already. Yet, as the platform gains in popularity with cybercriminals, so does the risk for widespread exploitation.
