Matanbuchus Delivering Cobalt Strike Beacons Via Spam Campaigns

VTA-00418 – Matanbuchus Delivering Cobalt Strike Beacons Via Spam Campaigns

Matanbuchus is a Malware-as-a-service(Maas), where it is engineered to download and execute second-stage executables from command-and-control (C&C) servers on infected systems without detection. The spam emails containing the Matanbuchus come with a ZIP file attachment containing a HTML file that decodes the Base64 content embedded in the file and drops another ZIP file on the system. The archive file includes an MSI installer file that displays a fake error message upon execution while stealthily deploying a DLL file (“main.dll”) as well as downloading the same library from a remote server (“telemetrysystemcollection[.]com”) as a fallback option. 

After dropping the DLL files, the MSI file launches regsvr32.exe and loads the malicious main.dll file to download the actual Matanbuchus malware from the C&C server. Then, it establishes persistence by means of scheduled task, then it downloads two Cobalt Strike Beacons from the C&C servers. By then, the system will have been compromised..



Attack Surfaces:
Email, Endpoint

Command and Control, Defense Evasion, Execution, Initial Access, Persistence

Phishing, User Execution, Command and Scripting Interpreter, Scheduled Task/Job, Virtualization/Sandbox Evasion, Remote Services, Application Layer Protocol

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Baseline, Email Manipulation, Network Manipulation, Network Monitoring, Security Controls

Indicator of Compromise:

SuperPRO’s Threat Countermeasures Procedures: 
1. Add the IOC signature into endpoint security protection as the custom threat detection rules.
2. Avoid downloading files from unknown websites.
3. Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop and mobile.
4. Refrain from opening untrusted links and email attachments without first verifying their authenticity.
5. Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
6. Monitor the beacon on the network level to block data exfiltration by malware or TAs.
7. Enable Data Loss Prevention (DLP) Solution on the employees’ systems.

Contributed by:  Aman

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>