Malicious spam campaigns deliver Matanbuchus malware and Cobalt Strike

New phishing attack infects machines and spreads Cobalt Strike on devices

Malware delivering another virusMalware-as-a-service with demonic intentions

Security reports noted the new malicious spam campaign that spreads malware with the purpose of further infecting machines with the Cobalt Strike Beacon. The attack campaign delivers Matanbuchus malware and further spreads Cobalt Strike on already compromised machines.[1] This threat is the virus commonly used by the threat actors that need help with lateral movement and the drop of additional malware payloads.[2]

Matanbuchus is the malware-as-a-service project[3] that was used since 2021 in advertisements on the dark web. These promotions pushed the malware as a $2,500 loader that runs executables directly into the system memory. The commercialized loader is used to download and launch malware like Qakbot or Cobalt Strike. It is known to spread via social engineering in the form of malicious documents.

The analysis by Palo Alto researchers[4] listed these operation infrastructure features and explained extensive parts of the malware campaigns. The malware has particular functions of launching custom PowerShell commands, leveraging standalone executables to load the payload in DLL files, and ensuring the persistence of the virus by adding task schedules.

Scammers use various lures in malspam campaigns

The threat sample analysis shows how the malspam campaign works and what scammers use to successfully spread their malware. These spammers rely on the lures that pretend to reply to previous email conversations, so the email includes Re: in the subject line. These ongoing campaigns carry ZIP attachments that contain an HTML file that generates another ZIP archive file.

This is how the MSI package gets extracted. It is digitally signed with the certificate issued by DigiCert for the Westeast Tech Consulting, Corp. This MSI installer launch initiates the Adobe Acrobat font catalog update that triggers the error message with the distraction from malicious background activities.

Matanbuchus DLL payloads are two files that get dropped into different locations on the machine. It also triggers scheduled tasks that maintain persistence on the system and with each reboot. Communication with commands and control is also established. The server is controlled by the hacker group and from there, remote code or commands can be obtained.[5]

Cobalt Strike loaded from the C2 server

The final stage of the attack is loading the Cobalt Strike payload from the mentioned command and control server. This is what Matanbuchus does to wider exploit the affected machine. This beacon is the second-stage payload in the campaign that was running recently in the month of May.

The URL gets clicked on the malicious email, and malicious files get launched, Those ZIP archives get extracted and other archives repeat the extraction chain until the HTTPS traffic for the Matanbuchus DLL is triggered. Other DLL files get executed, and C2 traffic is initiated. The command and control server provides the Cobalt Strike malware payload.

These particular samples have been reported and analyzed. Cobalt Strike is one of many malware strains used in these malicious attacks. It is a tool developed by ethical hackers, at first. However, these cybersecurity tools often fall into the wrong hands and get used in combination with social engineering, unauthorized access tools, network pattern obfuscation, and sophisticated mechanisms.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions