The Matanbuchus malware loader has been seen being distributed through social engineering over Microsoft Teams calls impersonating IT helpdesk.
Matanbuchus is a malware-as-a-service operation seen promoted on the dark web first in early 2021. It was advertised as a $2,500 Windows loader that executes malicious payloads directly in memory to evade detection.
In June 2022, threat analyst Brad Duncan reported that the malware loader was being used to deliver Cobalt Strike beacons in a large-scale malspam campaign.
Researchers at Morphisec endpoint threat prevention company found that the latest analyzed version of Matanbuchus includes enhanced evasion, obfuscation, and post-compromise capabilities.
Microsoft Teams abuse
Microsoft Teams has been abused over the past years to breach organizations using social engineering to deliver the first stage malware.
Typically, attackers infiltrate the chat and trick users into downloading a malicious file that then introduces the initial payload on system.
In 2023, a researcher created a specialized tool that exploited bugs in the software to allow malware delivery from external accounts.
Last year, DarkGate malware operators abused Microsoft Teams to deliver their loader onto targets who used lax ‘External Access’ settings.
According to Morphisec, operators of the latest Matanbuchus variant, 3.0, also show a preference for Microsoft Teams for initial access.
... continue reading