Security researchers have discovered a new malicious spam campaign that delivers the ‘Matanbuchus’ malware to drop Cobalt Strike beacons on compromised machines.
Cobalt Strike is a penetration testing suite that is frequently used by threat actors for lateral movement and to drop additional payloads.
First spotted in February 2021 in advertisements on the dark web, Matanbuchus is a malware-as-a-service (MaaS) project that was promoted as a $2,500 loader that launches executables directly into system memory.
Palo Alto Networks’ Unit 42 analysed the malware in June 2021 and mapped extensive parts of its operational infrastructure. The malware’s features include launching PowerShell commands, establishing persistence via the addition of task schedules, and leveraging standalone executables to load DLL payloads.
Threat analyst Brad Duncan captured and examined (in a lab environment) a sample of the malware.
The malspam campaign uses lures that pretend to be replies to previous email conversations, so they feature a ‘Re:’ in the subject line.
These emails carry a ZIP attachment that contains an HTML file that generates a new ZIP ar5chive. This then extracts an MSI package digitally signed with a valid certificate issued by DigiCert for “Westeast Tech Consulting Corp.”
Running the MSI installer supposedly initiates an Adobe Acrobat font catalogue update that ends with an error message, aiming to distract the victim.
In the background, two Matanbuchus DLL payloads (“main.dll”) are dropped in two different locations, a scheduled task is created to maintain persistence across system reboots, and communication with the command and control (C2) server is established.
Finally, the malware loads the Cobalt Strike payload from the C2 server.
Cobalt Strike as a second-stage payload in Matanbuchus malspam campaign was first reported by DCSO, a German security company, on 23rd May 2022. The also noticed that Qakbot was also delivered in some cases.
Duncan has also posted on his website traffic samples, artefacts, indicators of compromise (IoCs), and examples.
