- 818
- 221
Matanbuchus does not write to disk, does not require permissions, but still gains control.
The new version of the malicious Matanbuchus downloader, designated as 3.0, has become the subject of special attention among information security specialists. It has received a major update aimed at increasing stealth and bypassing modern security systems. Matanbuchus was initially distributed as a service for $ 2,500 since February 2021 on hacker forums, and served as a conduit for downloading subsequent malicious components - such as Cobalt Strike and ransomware.
Since its appearance, Matanbuchus has been actively used to infect victims using a variety of schemes. These include phishing emails with malicious links to Google Drive, drive-by downloads from compromised sites, malicious MSI installers, and even maliciously embedded ads. It was used to download and run other malware, including DanaBot and QakBot, which often precede ransomware attacks.
The Matanbuchus 3.0 update significantly increased the malware’s capabilities. According to Morphisec, the latest version features an improved command-and-control protocol, the ability to execute code in memory, enhanced code obfuscation, and support for reverse shells via CMD and PowerShell. In addition, the downloader can now run additional DLLs, EXEs, and shellcode components.
In practice, the new version showed itself in a recent incident, when an anonymous company was targeted via Microsoft Teams calls. The attackers posed as tech support, convinced employees to launch the Quick Assist remote access tool, and then run a PowerShell script that installed Matanbuchus. Similar social engineering techniques have previously been seen in attacks associated with the Black Basta group.
In particular, the attackers used an archive with a modified Notepad++ update (GUP), a modified XML configuration file, and a DLL library containing the loader itself. Thus, the malicious code was introduced into the system through the mechanism of replacing a legitimate component.
The rental cost of Matanbuchus 3.0 is now $10,000 per month for the version with HTTPS and $15,000 for the version with DNS. Once launched, the malware collects information about the system, checks for antivirus software and administrator rights, and then sends the collected data to the control server. In response, the server downloads additional malicious components, most often in the form of MSI files or executable EXE files.
Persistence in the system is achieved by creating a scheduled task. However, instead of standard tools, the loader uses complex methods: shellcode injection and working with the COM object model. The code is injected into processes using the shellcode injection technique, and the task is executed through manipulations with ITaskService.
Matanbuchus 3.0 also allows you to remotely retrieve a list of active processes, services and installed applications. Support for commands such as regsvr32, rundll32, msiexec and the Process Hollowing technique makes it a universal tool in the arsenal of cybercriminals.
Experts emphasize that this version has become part of a wider trend of the emergence of stealth loaders that actively use legitimate system components (LOLBins), COM object capture and PowerShell stagers. All this allows them to remain undetected in infected systems for a long time. At the same time, attackers are increasingly using corporate communication tools such as Microsoft Teams and Zoom for initial access.
The new version of the malicious Matanbuchus downloader, designated as 3.0, has become the subject of special attention among information security specialists. It has received a major update aimed at increasing stealth and bypassing modern security systems. Matanbuchus was initially distributed as a service for $ 2,500 since February 2021 on hacker forums, and served as a conduit for downloading subsequent malicious components - such as Cobalt Strike and ransomware.
Since its appearance, Matanbuchus has been actively used to infect victims using a variety of schemes. These include phishing emails with malicious links to Google Drive, drive-by downloads from compromised sites, malicious MSI installers, and even maliciously embedded ads. It was used to download and run other malware, including DanaBot and QakBot, which often precede ransomware attacks.
The Matanbuchus 3.0 update significantly increased the malware’s capabilities. According to Morphisec, the latest version features an improved command-and-control protocol, the ability to execute code in memory, enhanced code obfuscation, and support for reverse shells via CMD and PowerShell. In addition, the downloader can now run additional DLLs, EXEs, and shellcode components.
In practice, the new version showed itself in a recent incident, when an anonymous company was targeted via Microsoft Teams calls. The attackers posed as tech support, convinced employees to launch the Quick Assist remote access tool, and then run a PowerShell script that installed Matanbuchus. Similar social engineering techniques have previously been seen in attacks associated with the Black Basta group.
In particular, the attackers used an archive with a modified Notepad++ update (GUP), a modified XML configuration file, and a DLL library containing the loader itself. Thus, the malicious code was introduced into the system through the mechanism of replacing a legitimate component.
The rental cost of Matanbuchus 3.0 is now $10,000 per month for the version with HTTPS and $15,000 for the version with DNS. Once launched, the malware collects information about the system, checks for antivirus software and administrator rights, and then sends the collected data to the control server. In response, the server downloads additional malicious components, most often in the form of MSI files or executable EXE files.
Persistence in the system is achieved by creating a scheduled task. However, instead of standard tools, the loader uses complex methods: shellcode injection and working with the COM object model. The code is injected into processes using the shellcode injection technique, and the task is executed through manipulations with ITaskService.
Matanbuchus 3.0 also allows you to remotely retrieve a list of active processes, services and installed applications. Support for commands such as regsvr32, rundll32, msiexec and the Process Hollowing technique makes it a universal tool in the arsenal of cybercriminals.
Experts emphasize that this version has become part of a wider trend of the emergence of stealth loaders that actively use legitimate system components (LOLBins), COM object capture and PowerShell stagers. All this allows them to remain undetected in infected systems for a long time. At the same time, attackers are increasingly using corporate communication tools such as Microsoft Teams and Zoom for initial access.