Security researchers have noticed a new malicious spam campaign that delivers the ‘Matanbuchus’ malware to drop Cobalt Strike beacons on compromised machines.
Cobalt Strike is a penetration testing suite that is frequently used by threat actors for lateral movement and to drop additional payloads.
Matanbuchus is a malware-as-a-service (MaaS) project first spotted in February 2021 in advertisements on the dark web promoting it as a $2,500 loader that launches executables directly into system memory.
Palo Alto Networks’ Unit 42 analyzed it in June 2021 and mapped extensive parts of its operational infrastructure. The malware’s features include launching custom PowerShell commands, leveraging standalone executables to load DLL payloads, and establishing persistence via the addition of task schedules.
Ongoing campaign
Threat analyst Brad Duncan captured a sample of the malware and examined how it works in a lab environment.
The malspam campaign currently underway uses lures that pretend to be replies to previous email conversations, so they feature a ‘Re:’ in the subject line.
The emails carry a ZIP attachment that contains an HTML file that generates a new ZIP archive. This ultimately extracts an MSI package digitally signed with a valid certificate issued by DigiCert for “Westeast Tech Consulting, Corp.”
Running the MSI installer supposedly initiates an Adobe Acrobat font catalog update that ends with an error message, to distract the victim from what happened behind the scenes.
In the background, two Matanbuchus DLL payloads (“main.dll”) are dropped in two different locations, a scheduled task is created to maintain persistence across system reboots, and communication with the command and control (C2) server is established.
Finally, Matanbuchus loads the Cobalt Strike payload from the C2 server, opening the way to wider exploitation potential.
.jpg)
Cobalt Strike as a second-stage payload in Metanbuchus malspam campaign was first reported by DCSO, a German security company, on May 23, 2022. They also noticed that Qakbot was also delivered in some cases.
Interestingly, in that campaign, the digital signature used for the MSI file was again a valid one from DigiCert, issued to “Advanced Access Services LTD.”
For recent indicators of compromise, defenders can check out those collected by DCSO and the IoCs posted by ‘Execute Malware‘ about the ongoing campaign.
Duncan has also posted on his website traffic samples, artifacts, examples, and indicators of compromise (IoCs).
