Security News > 2022 > June > Researchers Warn of 'Matanbuchus' Malware Campaign Dropping Cobalt Strike Beacons

Researchers Warn of 'Matanbuchus' Malware Campaign Dropping Cobalt Strike Beacons
2022-06-27 03:00

A malware-as-a-service dubbed Matanbuchus has been observed spreading through phishing campaigns, ultimately dropping the Cobalt Strike post-exploitation framework on compromised machines.

"If we look historically, BelialDemon has been involved in the development of malware loaders," Unit 42 researchers Jeff White and Kyle Wilhoit noted in a June 2021 report.

The spam emails distributing Matanbuchus come with a ZIP file attachment containing an HTML file that, upon opening, decodes the Base64 content embedded in the file and drops another ZIP file on the system.

"The main function of dropped DLL files is to act as a loader and download the actual Matanbuchus DLL from the C&C server," Cyble researchers said, in addition to establishing persistence by means of a scheduled task.

For its part, the Matanbuchus payload establishes a connection to the C&C infrastructure to retrieve next-stage payloads, in this case, two Cobalt Strike Beacons for follow-on activity.

The development comes as researchers from Fortinet FortiGuard Labs disclosed a new variant of a malware loader called IceXLoader that's programmed in Nim and is being marketed for sale on underground forums.


News URL

https://thehackernews.com/2022/06/researchers-warn-of-matanbuchus-malware.html