Cyber Security

Wave of ‘Matanbuchus’ spam is infecting devices with Cobalt Strike

Security researchers have noticed a new malicious spam campaign that delivers the ‘Matanbuchus’ malware to drop Cobalt Strike beacons on compromised machines.

Cobalt Strike is a penetration testing suite that is frequently used by threat actors for lateral movement and to drop additional payloads.

Matanbuchus is a malware-as-a-service (MaaS) project first spotted in February 2021 in advertisements on the dark web promoting it as a $2,500 loader that launches executables directly into system memory.

Palo Alto Networks’ Unit 42 analyzed it in June 2021 and mapped extensive parts of its operational infrastructure. The malware’s features include launching custom PowerShell commands, leveraging standalone executables to load DLL payloads, and establishing persistence via the addition of task schedules.

Ongoing campaign

Threat analyst Brad Duncan captured a sample of the malware and examined how it works in a lab environment.

The malspam campaign currently underway uses lures that pretend to be replies to previous email conversations, so they feature a ‘Re:’ in the subject line.

The emails carry a ZIP attachment that contains an HTML file that generates a new ZIP archive. This ultimately extracts an MSI package digitally signed with a valid certificate issued by DigiCert for “Westeast Tech Consulting, Corp.”

Valid digital certificate used on the MSI file (isc.sans.edu)

Running the MSI installer supposedly initiates an Adobe Acrobat font catalog update that ends with an error message, to distract the victim from what happened behind the scenes.

In the background, two Matanbuchus DLL payloads (“main.dll”) are dropped in two different locations, a scheduled task is created to maintain persistence across system reboots, and communication with the command and control (C2) server is established.

Snapshot of malicious network traffic (isc.sans.edu)

Finally, Matanbuchus loads the Cobalt Strike payload from the C2 server, opening the way to wider exploitation potential.

Matanbuchus current infection chain (isc.sans.edu)

Cobalt Strike as a second-stage payload in Metanbuchus malspam campaign was first reported by DCSO, a German security company, on May 23, 2022. They also noticed that Qakbot was also delivered in some cases.

Interestingly, in that campaign, the digital signature used for the MSI file was again a valid one from DigiCert, issued to “Advanced Access Services LTD.”

The exposed Matanbuchus dashboard (Bleeping Computer)

For recent indicators of compromise, defenders can check out those collected by DCSO and the IoCs posted by ‘Execute Malware‘ about the ongoing campaign.

Duncan has also posted on his website traffic samples, artifacts, examples, and indicators of compromise (IoCs).

Source: https://www.bleepingcomputer.com/news/security/wave-of-matanbuchus-spam-is-infecting-devices-with-cobalt-strike/

Click to comment

You May Also Like

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Cyber Security

AttackCrypt, an open-source “crypter,” was recently used by cybercriminals to hide malware binaries and avoid antivirus detection. A crypter is a kind of software that can...

Cyber Security

We are glad to present the most recent news on cybersecurity in this week’s Threat and Vulnerability Roundup from Cyber Writes.  The latest attack...

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version