New Phishing Attack delivers Matanbuchus malware to drop Cobalt Strike beacons
Source: Bleeping Computer
Analysts at Bleeping Computer have recently compiled research done by several security analysts to warn users regarding a spike in phishing attacks that deliver the 'Matanbuchus' malware to drop Cobalt Strike beacons on compromised machines. Matanbuchus is a malware-as-a-service (MaaS) project first spotted in dark web advertisements while Cobalt Strike is a penetration testing suite that is frequently used by threat actors for lateral movement and to drop additional payloads.
The malspam campaign currently underway uses lures that pretend to be replies to previous email conversations, so they feature a 'Re:' in the subject line. The emails carry a ZIP attachment that contains an HTML file that generates a new ZIP archive. This ultimately extracts an MSI package digitally signed with a valid certificate issued by DigiCert for "Westeast Tech Consulting, Corp.".
If executed, two Matanbuchus DLL payloads ("main.dll") are dropped in two different locations, a scheduled task is created to maintain persistence across system reboots, and communication with the command and control (C2) server is established. Finally, Matanbuchus loads the Cobalt Strike payload from the C2 server, opening the way to wider exploitation potential.
As a result, Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. As is the case with most malware, end users are targeted which makes maintaining a robust security posture highly important, including end-user training, to develop safe and secure internet browsing habits.