Security researchers have noticed a new malicious spam campaign that delivers the ‘Matanbuchus’ malware to place Cobalt Strike beacons on compromised machines.
Cobalt Strike is a penetration testing suite commonly used by threat actors for lateral movement and to drop additional payloads.
Matanbuchus is a malware-as-a-service (MaaS) project that was first spotted in February 2021 in dark web advertisements and promoted it as a $2500 loader that launches executable files directly in system memory.
Palo Alto Networks Unit 42 has analyzed it in June 2021 and mapped extensive parts of its operational infrastructure. Features of the malware include launching custom PowerShell commands, using standalone executables to load DLL payloads, and establishing persistence through the addition of task schedules.
Ongoing campaign
threat analyst Brad Duncan took a sample of the malware and examined how it works in a lab setting.
The malspam campaign currently underway uses lures masquerading as replies to previous email conversations, so they have a ‘Re:’ in the subject line.
The emails contain a ZIP attachment that contains an HTML file that generates a new ZIP archive. This ultimately extracts an MSI package digitally signed with a valid certificate issued by DigiCert for “Westeast Tech Consulting, Corp.”
Running the MSI installer supposedly launches an Adobe Acrobat font catalog update that ends with an error message, to distract the victim from what happened behind the scenes.
In the background, two Matanbuchus DLL payloads (“main.dll”) are dropped in two different locations, a scheduled task is created to maintain persistence during system reboots, and communication with the command and control server (C2) established.
Finally, Matanbuchus loads the Cobalt Strike payload from the C2 server, paving the way for wider exploitation potential.
.jpg?resize=1139%2C600&ssl=1)
Cobalt Strike as a second stage payload in Metanbuchus malspam campaign was first reported by DCSOa German security company, on May 23, 2022. They also noticed that in some cases Qakbot was also delivered.
Interestingly enough, in that campaign, the digital signature used for the MSI file was again a valid DigiCert signature issued to ‘Advanced Access Services LTD’.
For recent indicators of compromise, defenders can check out collected by DCSO and the IoCs posted by ‘Run malwareabout the current campaign.
Duncan also has posted on his website traffic examples, artifacts, examples and indicators of compromises (IoCs).