Matanbuchus Malware Detection: New Malspam Campaign Distributes Malware Loader and Cobalt Strike

Matanbuchus first surfaced in early 2021 as a malware-as-a-service (MaaS) project at a rental price of $2,500. Matanbuchus is a loader that uses two DLLs during the malware’s run cycle. This year the malware is delivered in phishing attacks aimed at deploying Cobalt Strike beacons.

Detect Matanbuchus Malware

For an efficient Matanbuchus malware detection, use a set of Sigma rules below developed by the talented members of SOC Prime Threat Bounty Program, Sittikorn Sangrattanapitak and Emir Erdogan, to timely track a relevant suspicious activity in your system:

Matanbuchus Malware Detection via process_creation

Possible Matanbuchus Malware-as-a-Service Detection by Task Creation (via process creation)

These detections can be used across 23+ SIEM, EDR & XDR platforms, aligned with the MITRE ATT&CK® framework v.10, addressing the Defense Evasion and Execution tactics with Signed Binary Proxy Execution (T1218) and Scheduled Task/Job (T1053) as the primary techniques.

Adepts at cybersecurity are more than welcome to join the Threat Bounty Program to share their Sigma rules with the community and get recurrent rewards.

Follow the updates of detection content related to Matanbuchus malware in the Threat Detection Marketplace repository of the SOC Prime Platform by hitting the Detect & Hunt button. SOC Prime’s detection content library is constantly updated with new content, empowered by the collaborative cyber defense approach and enabled by Follow the Sun (FTS) model to ensure timely delivery of detections for critical threats. Striving to keep up with the latest trends shaping the current cyber threat landscape and dive into relevant threat context? Try out SOC Prime’s Search Engine! Press the Explore Threat Context button to instantly navigate the pool of the top threats and newly released Sigma rules, exploring relevant contextual information in a single place.

Detect & Hunt Explore Threat Context

Matanbuchus Malspam Campaign

Palo Alto Networks‘ researchers released an investigation describing the Matanbuchus loader in Summer 2021, identifying its features as follows: ability to launch .dll and .exe files and custom PowerShell commands, the abuse of schtasks.exe, and standalone executables.

The elaborate MaaS project resurfaced this year, distributing the malware via a malspam campaign that lures victims into reacting to fake started email conversations containing a ‘Re:’ in the subject line. The emails include a ZIP file with an HTML file that creates an additional ZIP archive. It extracts an MSI package, digitally signed with a legitimate DigiCert certificate for “Westeast Tech Consulting, Corp.” This malspam attack delivers Matanbuchus malware.

Once in the system, the Matanbuchus loader infects the compromised system with Cobalt Strike beacons. There are instances of the Qakbot deployments as well.

Never skip a beat operating in a fast-paced environment of cybersecurity risks and get the best mitigation solutions with SOC Prime – Join the Detection as Code platform to unlock access to the world’s largest detection content pool created by reputable field experts.