Hackers send Spam with Matanbuchus loader Infecting Cobalt Strike systems


Information security experts have discovered a new spam campaign during which attackers infect victims’ systems with Matanbuchus malware, which in turn downloads Cobalt Strike beacons to compromised machines.

Cobalt Strike is a set of penetration testing tools that are often abused by cybercriminals to move laterally through compromised networks and download additional files.

Matanbuchus has been distributed under the malware-as-a-service (MaaS) business model since February 2021. Specialists of the Unit 42 division of the information security company Palo Alto Networks analyzed
malware in June 2021 and created a map of vast parts of its operational infrastructure.

Security researcher Brad Duncan managed to get a sample of Matanbuchus and study
its in the laboratory. The malware is equipped with features such as running PowerShell commands, loading DLL libraries and ensuring consistency on the system by adding scheduled tasks.

During the spam campaign, which is still active, attackers fake malicious emails in response to an email allegedly sent by the victim, adding “Re:” to the subject line.

The malicious email contains a ZIP archive with an HTML file generating a second ZIP archive. This second archive extracts an MSI package signed with a valid digital certificate issued to Westeast Tech Consulting by the DigiCert Certification Center.

Launching the MSI installer initiates updating the font catalog for Adobe Acrobat, which ends with an error message in order to distract the victim’s attention from what is happening in the background. And against the background, two Matanbuchus DLL libraries are loaded into two different locations (main.dll ), a scheduled task is created to maintain consistency on the system after reboots and a connection is established with the C&C server.

Eventually, Matanbuchus downloads Cobalt Strike from the C&C server, providing hackers with opportunities for further attacks.

Start a discussion …