A malware-as-a-service (Maas) dubbed Matanbuchus has been observed spreading through phishing campaigns, ultimately dropping the Cobalt Strike post-exploitation framework on compromised machines.
Matanbuchus, like other malware loaders such as BazarLoader, Bumblebee, and Colibri, is engineered to download and execute second-stage executables from command-and-control (C&C) servers on infected systems without detection.
Available on Russian-speaking cybercrime forums for a price of $2,500 since February 2021, the malware is equipped with capabilities to launch .EXE and .DLL files in memory and run arbitrary PowerShell commands.
The findings, released by threat intelligence firm Cyble last week, document the latest infection chain associated with the loader, which is linked to a threat actor who goes by the online moniker BelialDemon.
“If we look historically, BelialDemon has been involved in the development of malware loaders,” Unit 42 researchers Jeff White and Kyle Wilhoit noted in a June 2021 report. “BelialDemon is considered the primary developer of TriumphLoader, a loader previously posted about on several forums, and has experience with selling this type of malware.”
The spam emails distributing Matanbuchus come with a ZIP file attachment containing an HTML file that, upon opening, decodes the Base64 content embedded in the file and drops another ZIP file on the system.
The archive file, in turn, includes an MSI installer file that displays a fake error message upon execution while stealthily deploying a DLL file (“main.dll”) as well as downloading the same library from a remote server (“telemetrysystemcollection[.]com”) as a fallback option.
“The main function of dropped DLL files (‘main.dll’) is to act as a loader and download the actual Matanbuchus DLL from the C&C server,” Cyble researchers said, in addition to establishing persistence by means of a scheduled task.
For its part, the Matanbuchus payload establishes a connection to the C&C infrastructure to retrieve next-stage payloads, in this case, two Cobalt Strike Beacons for follow-on activity.
The development comes as researchers from Fortinet FortiGuard Labs disclosed a new variant of a malware loader called IceXLoader that’s programmed in Nim and is being marketed for sale on underground forums.
Featuring abilities to evade antivirus software, phishing attacks involving IceXLoader have paved the way for DarkCrystal RAT (aka DCRat) and rogue cryptocurrency miners on hacked Windows hosts.
“This need to evade security products could be a reason the developers chose to transition from AutoIt to Nim for IceXLoader version 3,” the researchers said. “Since Nim is a relatively uncommon language for applications to be written in, threat actors take advantage of the lack of focus on this area in terms of analysis and detection.”
