This article provides an overview of the re-emergence of the Matanbuches malware, facilitated by the BeliaDemon hackers. Priced at $2500 on the dark web, this malware is distributed through a spear-phishing email campaign featuring a deceptive .HTML attachment disguised as a legitimate scanned document. Upon clicking the attachment, a zip archive file is dropped, and the execution of the MSI file within it triggers a fabricated Adobe error message while deploying a malicious dll file. A base64 format JavaScript file is contained within the malicious ZIP file, which, upon activation, leads to the execution of the Matanbuches malware on the victim’s system. The MSI installer file, equipped with a revoked digital signature, masquerades as an Adobe Front Pack configuration, establishing a connection with a C2 server and downloading the Cobalt Strike Beacon payload for subsequent post-exploitation activities. These activities involve the execution of PowerShell scripts, keystroke logging, screenshot capturing, file downloading, and the deployment of additional payloads. Regular updates on cyber threats, including this incident, can be found on the Cyber Security News channel, which caters to hackers and security professionals and offers daily newsletters on cybersecurity.
Key Takeaways
- Matanbuches malware is executed through a spear-phishing email campaign with a malicious .HTML attachment, posing as a legitimate scanned copy using the Onedrive icon.
- The malware is delivered through a series of steps, including the dropping of a zip archive file and the execution of an MSI file that shows a fake Adobe error message.
- The MSI file establishes a connection with a C2 server, downloads the Cobalt Strike Beacon payload, and carries out post-exploitation activities such as executing PowerShell scripts, logging keystrokes, taking screenshots, downloading files, and spawning other payloads.
- Balaji N, an ex-security researcher at Comodo Cybersecurity and the editor-in-chief of Cyber Security News, provides background information about the malware and its execution process.
Execution Process
The execution process of the Matanbuches malware involves a spear-phishing email campaign with a malicious .HTML attachment posing as a legitimate scanned copy, which drops a zip archive file upon clicking and executes the MSI file showing a fake Adobe error message while dropping a malicious dll file. Spear phishing techniques are used to deceive victims into clicking on the attachment, which initiates the malware execution process. This highlights the importance of being cautious and vigilant when dealing with email attachments, especially those that request sensitive information or appear suspicious. Additionally, the MSI file utilized in the execution process has a revoked digital signature, which can hinder malware detection and increase the likelihood of successful infiltration. It is crucial for security measures to consider the impact of revoked digital signatures in order to enhance malware detection and prevention.
Contents of Malicious ZIP
Inside the malicious ZIP file, there is a base64 format Javascript file named Scan-23112.zip, which, when clicked, drops another ZIP file in the victim’s download folder. This second ZIP file contains the Matanbuches malware that is executed in the victim’s system. To provide a deeper understanding, the following table presents an analysis of the base64 format JavaScript file:
| Analysis of the base64 format JavaScript |
|---|
| Filename: Scan-23112.zip |
| File Type: JavaScript |
| Purpose: Drops the Matanbuches malware |
| Execution Method: Clicking the file |
To protect against the Matanbuches malware, several mitigation strategies can be implemented. These include educating users about the risks of spear-phishing emails and encouraging them to exercise caution when opening attachments. Additionally, organizations can implement robust email filtering systems to detect and block malicious emails. Regular software updates and patches should be applied to mitigate vulnerabilities that malware like Matanbuches exploits. Lastly, deploying and maintaining antivirus and anti-malware solutions can help detect and remove any malicious files or activities.
Post-Exploitation Activities
Post-exploitation activities of the Cobalt Strike Beacon involve the execution of PowerShell scripts, logging of keystrokes, capturing screenshots, downloading files, and spawning other payloads. The analysis of the Cobalt Strike Beacon payload reveals its ability to execute various malicious activities once it has compromised a system. It can leverage PowerShell scripts to carry out further malicious commands and actions, log keystrokes to capture sensitive information such as login credentials, take screenshots to gather visual data, download additional files for further exploitation, and spawn other payloads to expand its control over the compromised system. To mitigate these post-exploitation activities, organizations should implement countermeasures such as regularly updating and patching systems, deploying robust endpoint protection solutions, conducting regular security awareness training, and implementing strong access controls and monitoring mechanisms to detect and respond to any suspicious activities promptly.
Frequently Asked Questions
How can the Matanbuches malware be delivered to a victim’s system?
The Matanbuches malware can be delivered to a victim’s system through a spear-phishing email campaign. The email contains a malicious .HTML attachment posing as a legitimate scanned document. When clicked, it drops a zip archive file that executes the malware. Preventing Matanbuches malware infections requires caution when opening email attachments and using strong email security measures.
What is the purpose of the revoked digital signature on the MSI file?
The purpose of the revoked digital signature on the MSI file is to deceive the victim into thinking that it is a legitimate Adobe installation file. The implications of the revoked digital signature include bypassing security measures and increasing the chances of successful malware execution.
How does the MSI file create the AdobeFontPack folder and what files are dropped in it?
The MSI file creates the AdobeFontPack folder by executing during the fake Adobe error message. It drops two files in the folder, one of which is the main.dll file that establishes a connection with the C2 server.
What are some of the post-exploitation activities that can be carried out using the Cobalt Strike Beacon payload?
Post-exploitation activities carried out using the Cobalt Strike beacon payload include executing PowerShell scripts, logging keystrokes, taking screenshots, downloading files, and spawning other payloads. These activities enable the attacker to gather information and maintain persistent access to the compromised system.
What social media platforms can I follow Cyber Security News on?
Cyber Security News can be followed on various social media platforms such as Linkedin, Twitter, Facebook, Pinterest, and WhatsApp. Social media plays a significant role in spreading cybersecurity threats, making cybersecurity awareness of utmost importance.
