We’ve seen cybercriminals exploit Microsoft Teams to propagate the Matanbuchus 3.0 malware which is a serious threat to enterprises today. Cybercriminals initially released this malware around February 2021 on Russian-speaking forums. Needless to say, it made waves when it came out — in part because it was a hot deal for rent at $2,500. Earlier this month, one unnamed company fell victim to external calls on Microsoft Teams. This recent incident is a testament to the evolved tactics that cyber attackers have been executing.
Even more insidiously, Matanbuchus has been used in complex ways in order to fool users. Too often, it is folded into ClickFix-style lures created to bait well-meaning people into running disparaging scripts. However, these scripts launch the download of a malicious archive. Bundled in is a Notepad++ updater in disguise, a tampered init.xml file, and a side loaded DLL that serves as the Matanbuchus loader.
“Victims are carefully targeted and persuaded to execute a script that triggers the download of an archive,” – Michael Gorelik
Features and Capabilities of Matanbuchus
Our Matanbuchus loader is just one of its many features. Once developed, you can instantly turn them on remotely through the command and control (C2) server. Cybercriminals are likely to leverage this newly added functionality to obtain detailed information from infected systems. From this, they can view every active process, every active service, and a full list of installed apps. This enriched data collection dramatically increases the malware’s utility in identifying victims.
Matanbuchus has served as a deployment platform for a wide selection of secondary payloads. It gained a dubious reputation for its use in infamous malware, including DanaBot, QakBot, and Cobalt Strike. Though not entirely inclusive, these malware strains are major warning signs of impending ransomware attacks. Organizations need to be on guard and proactively defend against these increasing perils.
“The Matanbuchus 3.0 Malware-as-a-Service has evolved into a sophisticated threat,” – Michael Gorelik
Evolving Tactics and Impacts
The tactics used by Matanbuchus developers is another escalation in an alarming trend of cybercrime. What it does seems simple, under the hood it utilizes some more advanced techniques for running commands in the background. For instance, it sets a task schedule through COM and injects shellcode to get persistence in the victim host.
This recent evolution of malware is another example of the growing complexity of cyber threats that organizations are combating today. As cybercriminals become more sophisticated and develop new tactics, the threat landscape is getting harder to cut through.
“While it sounds simple, Matanbuchus developers implemented advanced techniques to schedule a task through the usage of [COM] and injection of shellcode,” – Michael Gorelik