- Researchers from Morphisec spotted Matanbuchus 3.0 in the wild
- The malware serves as a loader for Cobalt Strike or ransomware
- The victims are approached via Teams and asked for remote acccess
Security researchers are warning about an ongoing campaign leveraging Microsoft Teams calls to deploy a piece of malware called Matanbuchus 3.0.
As per cybersec outfit Morphisec, an unidentified hacking group first carefully picks its victims, and then reaches out via Microsoft Teams, posing as an external IT team.
They try to persuade the victim that they have a problem with their device and that they need to grant remote access in order to fix the issue. Since the victims are cherry-picked, there is a higher chance of success.
Expensive malware-as-a-service
Once the access is granted, usually through Quick Assist, the attackers execute a PowerShell script that deploys Matanbuchus 3.0, a malware loader that can lead to Cobalt Strike beacons, or even ransomware.
“Victims are carefully targeted and persuaded to execute a script that triggers the download of an archive,” Morphisec CTO Michael Gorelik said. “This archive contains a renamed Notepad++ updater (GUP), a slightly modified configuration XML file, and a malicious side-loaded DLL representing the Matanbuchus loader.”
This malware was first spotted in 2021, The Hacker News reports, where cybercriminals advertised it on Russian-speaking forums for $2,500. Since then, the malware has evolved to include new features, better communication, more stealth, CMD and PowerShell support, and more. It also apparently costs more, now having a monthly service price of $10,000 for the HTTPS version and $15,000 for the DNS version.
While the researchers do not identify the attackers, they did say that similar social engineering tactics were used in the past by a group called Black Basta to deploy ransomware.
In the past, Black Basta was one of the most dangerous ransomware operations in existence, but has since then slowly phased out. In late February this year, a cybercriminal released chat logs that detailed the inner workings of the group.
Via The Hacker News
