Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New Matanbuchus Campaign drops Cobalt Strike beacons

Matanbuchus malware-as-a-service (Maas) has been observed spreading through phishing campaigns, dropping Cobalt Strike beacons. Threat intelligence firm Cyble has observed a malware-as-a-service (Maas), named Matanbuchus, involved in malspam attacks dropping Cobalt Strike beacons. Matanbuchus is a malware loader that first appeared on the threat landscape in February 2021, when it was offered for rent on Russian-speaking […]

matanbuchus

Matanbuchus malware-as-a-service (Maas) has been observed spreading through phishing campaigns, dropping Cobalt Strike beacons.

Threat intelligence firm Cyble has observed a malware-as-a-service (Maas), named Matanbuchus, involved in malspam attacks dropping Cobalt Strike beacons.

Matanbuchus is a malware loader that first appeared on the threat landscape in February 2021, when it was offered for rent on Russian-speaking cybercrime forums at a price of $2500.

Cyble researchers started their investigation after coming across a Twitter post from a researcher warning of the loader spreading through spam campaigns.

matanbuchus

Matanbuchus could be used in a multi-stage attack chain due to its capability to download and execute second-stage executables from C2 servers.

The Matanbuchus attack chain starts through malspam messages using a ZIP attachment containing an HTML file. Once executed the HTML file, it decodes the base64 content embedded in the file and drops a ZIP file in the Downloads folder.

“However, there is a code present in the HTML file which shows that the ZIP file is in the OneDrive location. The ZIP file contains an MSI installer file. After extraction, it shows a fake error message upon the execution of the MSI file.” reads the analysis published by Cyble.

The MSI installer displays a fake error message upon execution while installing a DLL file (“main.dll”) in the background.

The ‘main.dll’ acts as a loader and downloads the actual Matanbuchus DLL from the C&C server. The DLL also establishes persistence by means of a scheduled task.

“Threat Actors use various techniques to deploy their malicious payloads into the victim’s system. In this case, we observed the TAs used Matanbuchus malware loader to deliver Cobalt Strike Beacons.” concludes Cyble.

The report also includes MITRE ATT&CK® Techniques and Indicators of Compromise.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Matanbuchus)

[adrotate banner=”5″]

[adrotate banner=”13″]