Malware-as-a-service (Maas) dubbed Matanbuchus was observed spreading through phishing campaigns, eventually dropping the Cobalt Strike post-exploitation framework on compromised machines.
Matanbuchus, like the others malware loaders such as BazarLoader, Bumblebee, and Colibri, is designed to download and run second-stage executables from command and control (C&C) servers onto infected systems without detection.
Available on Russian-speaking cybercrime forums for $2,500 since February 2021, the malware is equipped with capabilities to launch .EXE and .DLL files in memory and execute arbitrary PowerShell commands.
The findings, published by threat intelligence firm Cyble last week, document the latest chain of infections associated with the Loader, which is linked to a threat actor calling itself BelialDemon.
“If we look historically, BelialDemon has been involved in the development of malware loaders,” said Unit 42 researchers Jeff White and Kyle Wilhoit. Noted in a June 2021 report. “BelialDemon is considered the primary developer of TriumphLoadera loader already published on several forums, and which has experience in selling this type of malware.”
Spam emails distributing Matanbuchus come with a ZIP file attachment containing an HTML file which, when opened, decodes the Base64 content embedded in the file and drops another ZIP file on the system.
The archive file, in turn, includes an MSI installer file that displays a fake error message while running while stealthily deploying a DLL (“main.dll”) as well as downloading the same library from a remote server (“telemetrysystemcollection[.]com”) as a fallback option.
“The main function of deleted DLL files (“main.dll”) is to act as a loader and download the actual Matanbuchus DLL from the C&C server,” Cyble researchers said. saidin addition to establishing persistence by means of a scheduled task.
For its part, the Matanbuchus payload establishes a connection to the C&C infrastructure to retrieve the next stage payloads, in this case two Cobalt Strike beacons for tracking activity.
The development comes as Fortinet FortiGuard Labs researchers unveiled a new variant of a malware loader called IceXLoader, programmed in Nim and marketed on underground forums.
With capabilities to evade antivirus software, phishing attacks involving IceXLoader have paved the way for DarkCrystal RAT (aka DCRat) and rogue cryptocurrency miners on hacked Windows hosts.
“This need to evade security products could be a reason developers chose to switch from AutoIt to Nim for IceXLoader version 3,” the researchers said. said. “Since Nim is a relatively rare language for writing applications, threat actors take advantage of the lack of focus on this area in terms of analysis and detection.”