Malicious software that is circulating through the dark web via Malware-as-a-Service (MaaS) now cropped up again by means of a spear-phishing campaign with mischievous attachments.
Malware is associated with Belial Demon, who is a threat actor. According to the available information, this cybercriminal is working from a Russian cybercrime underground forum and marketplace. Price of his instructive software is about $2500 and is made to infect various innocent people and organizations around the world, such as large universities, schools, and tech systems.
Matanbuches loader has been detected in spam messages with the malevolent .HTML attachment enclosed with base64 and is drafted in Javascript and HTLM language.
After the accomplishment on the person’s computer, it downloads supplementary items from the C2 servers, along with the infamous cobalt strike beacon payload.
Matanbuches Malware Infection Chain
At the very beginning, a victim receives the email with the malicious attachment. In order to convince people of the legality of their email they present it as a scanned copy with the use of the Onedrive icon.
Analysts from CYFIRMA announced that “the email contains a malicious attachment in .HTML format having embedded base64 which on execution drops a zip file. Upon clicking the HTML attachment, it drops a zip archive file and this zip file contains an MSI file. On executing the MSI file, it shows the fake Adobe error message to the user while dropping the malicious dll file in the background..” Inside, an intentionally harmful ZIP file has been inserted with the base64 format Javascript named Scan-23112.zip. You click on that file and it leads to downloading the folder and enacting the Matanbuches malicious software in the victim’s system.
From there on the ZIP file contains an MSI installer file. This installer has a digital signature that has been annulled later.
Afterwards the MSI file execution, it imitates the Adobe Front Pack version and gives a fake error message.
However, in the background the MSI generates the AdobeFontPack and drops two files.
Finally, after the MSI file downloads the main.dll, it creates a connection with the C2 server and transfers another malware that is Cobalt Strike Beacon payload. It can implement different activities such as executing PowerShell scripts, logging keystrokes, taking screenshots, downloading files, and spawns other payloads.
