Matanbuchus Delivering Cobalt Strike Beacons Via Spam Campaigns

VTA-00418 – Matanbuchus Delivering Cobalt Strike Beacons Via Spam Campaigns


Matanbuchus is a Malware-as-a-service(Maas), where it is engineered to download and execute second-stage executables from command-and-control (C&C) servers on infected systems without detection. The spam emails containing the Matanbuchus come with a ZIP file attachment containing a HTML file that decodes the Base64 content embedded in the file and drops another ZIP file on the system. The archive file includes an MSI installer file that displays a fake error message upon execution while stealthily deploying a DLL file (“main.dll”) as well as downloading the same library from a remote server (“telemetrysystemcollection[.]com”) as a fallback option. 

After dropping the DLL files, the MSI file launches regsvr32.exe and loads the malicious main.dll file to download the actual Matanbuchus malware from the C&C server. Then, it establishes persistence by means of scheduled task, then it downloads two Cobalt Strike Beacons from the C&C servers. By then, the system will have been compromised..

Severity:
High

PROVINTELL APT Actors

Attack Surfaces:
Email, Endpoint

Tactics:
Command and Control, Defense Evasion, Execution, Initial Access, Persistence

Techniques:
Phishing, User Execution, Command and Scripting Interpreter, Scheduled Task/Job, Virtualization/Sandbox Evasion, Remote Services, Application Layer Protocol

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Baseline, Email Manipulation, Network Manipulation, Network Monitoring, Security Controls

Indicator of Compromise:
https://otx.alienvault.com/pulse/62b9d344123d207e003d09ec

SuperPRO’s Threat Countermeasures Procedures: 
1. Add the IOC signature into endpoint security protection as the custom threat detection rules.
2. Avoid downloading files from unknown websites.
3. Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop and mobile.
4. Refrain from opening untrusted links and email attachments without first verifying their authenticity.
5. Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
6. Monitor the beacon on the network level to block data exfiltration by malware or TAs.
7. Enable Data Loss Prevention (DLP) Solution on the employees’ systems.

Contributed by:  Aman

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>