Wave of

Wave of ‘Matanbuchus’ Spam Infects Cobalt Strike Devices

Wave of 'Matanbuchus' Spam Infects Cobalt Strike Devices

Security researchers have noticed a new malicious spam campaign that delivers the ‘Matanbuchus’ malware to place Cobalt Strike beacons on compromised machines.

Cobalt Strike is a penetration testing suite commonly used by threat actors for lateral movement and to drop additional payloads.

Matanbuchus is a malware-as-a-service (MaaS) project that was first spotted in February 2021 in dark web advertisements and promoted it as a $2500 loader that launches executable files directly in system memory.

Palo Alto Networks Unit 42 has analyzed it in June 2021 and mapped extensive parts of its operational infrastructure. Features of the malware include launching custom PowerShell commands, using standalone executables to load DLL payloads, and establishing persistence through the addition of task schedules.

Ongoing campaign

threat analyst Brad Duncan took a sample of the malware and examined how it works in a lab setting.

The malspam campaign currently underway uses lures masquerading as replies to previous email conversations, so they have a ‘Re:’ in the subject line.

The emails contain a ZIP attachment that contains an HTML file that generates a new ZIP archive. This ultimately extracts an MSI package digitally signed with a valid certificate issued by DigiCert for “Westeast Tech Consulting, Corp.”

Valid digital certificate used for the MSI file
Valid digital certificate used for the MSI file (isc.sans.edu)

Running the MSI installer supposedly launches an Adobe Acrobat font catalog update that ends with an error message, to distract the victim from what happened behind the scenes.

In the background, two Matanbuchus DLL payloads (“main.dll”) are dropped in two different locations, a scheduled task is created to maintain persistence during system reboots, and communication with the command and control server (C2) established.

Snapshot of malicious network traffic
Snapshot of malicious network traffic (isc.sans.edu)

Finally, Matanbuchus loads the Cobalt Strike payload from the C2 server, paving the way for wider exploitation potential.

Matanbuchus current chain of infection
Matanbuchus current chain of infection (isc.sans.edu)

Cobalt Strike as a second stage payload in Metanbuchus malspam campaign was first reported by DCSOa German security company, on May 23, 2022. They also noticed that in some cases Qakbot was also delivered.

Interestingly enough, in that campaign, the digital signature used for the MSI file was again a valid DigiCert signature issued to ‘Advanced Access Services LTD’.

The Matanbuchus Dashboard
The exposed Matanbuchus dashboard (Blooping Computer)

For recent indicators of compromise, defenders can check out collected by DCSO and the IoCs posted by ‘Run malwareabout the current campaign.

Duncan also has posted on his website traffic examples, artifacts, examples and indicators of compromises (IoCs).

Leave a Comment

Your email address will not be published.