- Scientists from Morphisec discovered Matanbuchus 3.0 in nature
- Malware acts as a loader to cobalt strike or ransomware
- The victims are contacted via team and asked for external access
Security researchers warn of an ongoing campaign that utilizes Microsoft -Teams calls to implement a piece of malware called Matanbuchus 3.0.
According to CyberSec Outfit Morphisec, an unidentified hacking group first carefully chooses its victims and then reaches out via Microsoft teams posing as an external IT team.
They try to persuade the victim that they have a problem with their device and that they have to give remote access to solve the problem. As the victims are cherry picked, there is a greater chance of success.
Expensive malware-as-a-service
When access is awarded, usually through the Quick Assist, attackers perform a Powershell script that emits Matanbuchus 3.0, a malware loader that can lead to cobalt strikes or even ransomware.
“Victims are carefully targeted and persuaded to perform a script that triggers the download of an archive,” said Morphisec CTO Michael Gorelik. “This archive contains a renamed notepad ++ update (GUP), a slightly modified configuration XML file and a malicious side-loaded DLL representing the Matanbuchus loader.”
This malware was first discovered in 2021, reports Hacker News, with cyber criminals announcing it on Russian-speaking forums for $ 2,500. Since then, malware has evolved to include new features, better communication, more stealth, CMD and Powershell support and more. Apparently it also costs more, now a monthly service price of $ 10,000 for the HTTPS version and $ 15,000 for the DNS version.
While the researchers do not identify attackers, they said that similar social technical tactics were previously used by a group called Black Basta to implement ransomware.
Previously, Black Basta was one of the most dangerous ransomware operations that existed, but has since slowly phased out. At the end of February of this year, a cyber criminal chatlogfiles released that detailed the group’s inner work.
Via Hacker the news
