The Matanbuchus malware loader is currently being distributed through social engineering tactics via Microsoft Teams calls, with attackers impersonating IT helpdesks. This malware-as-a-service operation, first advertised in early 2021, has evolved significantly, demonstrating enhanced evasion and obfuscation techniques.
The latest variant, Matanbuchus 3.0, shows a strong preference for Microsoft Teams as an initial access vector.
Attackers initiate external Teams calls, pose as IT support, and trick users into launching Quick Assist, a legitimate remote support tool. This grants the attacker interactive remote access, enabling them to instruct the user to execute a PowerShell script. This script then downloads and extracts a ZIP archive containing files used to launch the Matanbuchus loader on the device through DLL side-loading.
Morphisec’s analysis highlights several new features in Matanbuchus 3.0, including a switch from RC4 to Salsa20 for command-and-control (C2) communication and string obfuscation. Payloads are now launched directly in memory, and a new anti-sandbox verification routine ensures the malware only runs in specific locales.
These changes aim to make detection and analysis more challenging for security professionals.
A significant enhancement in Matanbuchus 3.0 is its ability to execute syscalls via custom shellcode, bypassing Windows API wrappers and Endpoint Detection and Response (EDR) hooks. This technique helps hide malicious actions that are typically monitored by security tools. Furthermore, API calls are obfuscated using the MurmurHash3 non-cryptographic hash function, making reverse engineering and static analysis considerably more difficult.
Post-infection, Matanbuchus 3.0 exhibits robust capabilities, including the execution of CMD commands, PowerShell scripts, and various payloads such as EXEs, DLLs, MSIs, and shellcode. The malware also gathers critical system details, including username, domain, OS build information, running EDR/AV processes, and the elevation status of its own process. Morphisec emphasizes that the execution methods sent from the C2 server are likely tailored to the victim’s specific security stack, indicating a dynamic and adaptive threat.
Reference:
