Matanbuchus first surfaced in early 2021 as a malware-as-a-service (MaaS) project at a rental price of $2,500. Matanbuchus is a loader that uses two DLLs during the malware’s run cycle. This year the malware is delivered in phishing attacks aimed at deploying Cobalt Strike beacons.
For an efficient Matanbuchus malware detection, use a set of Sigma rules below developed by the talented members of SOC Prime Threat Bounty Program, Sittikorn Sangrattanapitak and Emir Erdogan, to timely track a relevant suspicious activity in your system:
These detections can be used across 23+ SIEM, EDR & XDR platforms, aligned with the MITRE ATT&CK® framework v.10, addressing the Defense Evasion and Execution tactics with Signed Binary Proxy Execution (T1218) and Scheduled Task/Job (T1053) as the primary techniques.
Follow the updates of detection content related to Matanbuchus malware in the Threat Detection Marketplace repository of the SOC Prime Platform by hitting the Detect & Hunt button. SOC Prime’s detection content library is constantly updated with new content, empowered by the collaborative cyber defense approach and enabled by Follow the Sun (FTS) model to ensure timely delivery of detections for critical threats. Striving to keep up with the latest trends shaping the current cyber threat landscape and dive into relevant threat context? Try out SOC Prime’s Search Engine! Press the Explore Threat Context button to instantly navigate the pool of the top threats and newly released Sigma rules, exploring relevant contextual information in a single place.
Palo Alto Networks‘ researchers released an investigation describing the Matanbuchus loader in Summer 2021, identifying its features as follows: ability to launch .dll and .exe files and custom PowerShell commands, the abuse of schtasks.exe, and standalone executables.
The elaborate MaaS project resurfaced this year, distributing the malware via a malspam campaign that lures victims into reacting to fake started email conversations containing a ‘Re:’ in the subject line. The emails include a ZIP file with an HTML file that creates an additional ZIP archive. It extracts an MSI package, digitally signed with a legitimate DigiCert certificate for “Westeast Tech Consulting, Corp.” This malspam attack delivers Matanbuchus malware.
Once in the system, the Matanbuchus loader infects the compromised system with Cobalt Strike beacons. There are instances of the Qakbot deployments as well.
Never skip a beat operating in a fast-paced environment of cybersecurity risks and get the best mitigation solutions with SOC Prime – Join the Detection as Code platform to unlock access to the world’s largest detection content pool created by reputable field experts.