Malicious software that is circulating through the dark web via Malware-as-a-Service (MaaS) now cropped up again by means of a spear-phishing campaign with mischievous attachments.
Malware is associated with Belial Demon, who is a threat actor. According to the available information, this cybercriminal is working from a Russian cybercrime underground forum and marketplace. Price of his instructive software is about $2500 and is made to infect various innocent people and organizations around the world, such as large universities, schools, and tech systems.
After the accomplishment on the person’s computer, it downloads supplementary items from the C2 servers, along with the infamous cobalt strike beacon payload.
Matanbuches Malware Infection Chain
At the very beginning, a victim receives the email with the malicious attachment. In order to convince people of the legality of their email they present it as a scanned copy with the use of the Onedrive icon.
From there on the ZIP file contains an MSI installer file. This installer has a digital signature that has been annulled later.
Afterwards the MSI file execution, it imitates the Adobe Front Pack version and gives a fake error message.
However, in the background the MSI generates the AdobeFontPack and drops two files.
Finally, after the MSI file downloads the main.dll, it creates a connection with the C2 server and transfers another malware that is Cobalt Strike Beacon payload. It can implement different activities such as executing PowerShell scripts, logging keystrokes, taking screenshots, downloading files, and spawns other payloads.