Wave of 'Matanbuchus' spam is infecting devices with Cobalt Strike

Security researchers have noticed a new malicious spam campaign that delivers the 'Matanbuchus' malware to drop Cobalt Strike beacons on compromised machines.

Cobalt Strike is a penetration testing suite that is frequently used by threat actors for lateral movement and to drop additional payloads.

Matanbuchus is a malware-as-a-service (MaaS) project first spotted in February 2021 in advertisements on the dark web promoting it as a $2,500 loader that launches executables directly into system memory.

Palo Alto Networks' Unit 42 analyzed it in June 2021 and mapped extensive parts of its operational infrastructure. The malware's features include launching custom PowerShell commands, leveraging standalone executables to load DLL payloads, and establishing persistence via the addition of task schedules.

Ongoing campaign

Threat analyst Brad Duncan captured a sample of the malware and examined how it works in a lab environment.

The malspam campaign currently underway uses lures that pretend to be replies to previous email conversations, so they feature a 'Re:' in the subject line.

The emails carry a ZIP attachment that contains an HTML file that generates a new ZIP archive. This ultimately extracts an MSI package digitally signed with a valid certificate issued by DigiCert for "Westeast Tech Consulting, Corp."

Valid digital certificate used on the MSI file
Valid digital certificate used on the MSI file (isc.sans.edu)

Running the MSI installer supposedly initiates an Adobe Acrobat font catalog update that ends with an error message, to distract the victim from what happened behind the scenes.

In the background, two Matanbuchus DLL payloads ("main.dll") are dropped in two different locations, a scheduled task is created to maintain persistence across system reboots, and communication with the command and control (C2) server is established.

Snapshot of malicious network traffic
Snapshot of malicious network traffic (isc.sans.edu)

Finally, Matanbuchus loads the Cobalt Strike payload from the C2 server, opening the way to wider exploitation potential.

Matanbuchus current infection chain
Matanbuchus current infection chain (isc.sans.edu)

Cobalt Strike as a second-stage payload in Metanbuchus malspam campaign was first reported by DCSO, a German security company, on May 23, 2022. They also noticed that Qakbot was also delivered in some cases.

Interestingly, in that campaign, the digital signature used for the MSI file was again a valid one from DigiCert, issued to "Advanced Access Services LTD."

The Matanbuchus dashboard
The exposed Matanbuchus dashboard (Bleeping Computer)

For recent indicators of compromise, defenders can check out those collected by DCSO and the IoCs posted by 'Execute Malware' about the ongoing campaign.

Duncan has also posted on his website traffic samples, artifacts, examples, and indicators of compromise (IoCs).

Related Articles:

Fake cheat lures gamers into spreading infostealer malware

SoumniBot malware exploits Android bugs to evade detection

Moldovan charged for operating botnet used to push ransomware

CISA makes its "Malware Next-Gen" analysis system publicly available

Multiple botnets exploiting one-year-old TP-Link flaw to hack routers