Matanbuchus

Matanbuchus is a loader malware MaaS since 2021. It deploys additional malicious payloads on compromised Windows systems. It can execute executables or DLLs in memory, modify task schedules with schtasks.exe, and run custom PowerShell commands.

Key Insights

Matanbuchus is MaaS, threat actors can rent and use it for their campaigns. Initially priced at $2,500 it was used to distribute Qakbot and Cobalt Strike beacons.

Distribution

Malware is distributed through phishing emails with malicious attachments, and Excel documents with embedded macros. Once the user interacts with the attachment Matanbuchus is deployed and the system is further compromised.

Technical

Matanbuchus uses obfuscation techniques like API hashing and stack strings to evade detection. It downloads and executes files from remote servers, allowing attackers to load payloads into memory without writing to disk minimizing the chance of detection.

Known Variants

No known variants of Matanbuchus. This might be because it’s MaaS, the core loader is the same and different payloads are deployed based on client’s objective.

Mitigation Strategies

Educate users to recognize and avoid phishing emails with malicious attachments.
Block suspicious attachments and links in email filtering.
Deploy advanced endpoint protection to detect and prevent malware execution.
Update and patch systems to mitigate loader vulnerabilities

Targeted Industries or Sectors

Matanbuchus has targeted educational institutions, universities and high schools in US and high-tech organizations in Belgium. Targets seem to be opportunistic, entities that are prone to phishing.

Associated Threat Actors

Matanbuchus is utilized by various threat actors, notably the group known as ShadowSyndicate. This group has employed Matanbuchus in their campaigns to deploy additional malicious payloads