Matanbuchus 3.0, a malware loader available as Malware-as-a-Service, has evolved with significant updates. It now employs sophisticated techniques including improved communication protocols, in-memory stealth capabilities, enhanced obfuscation, and support for WQL queries, CMD, and PowerShell reverse shells. The loader collects detailed system data, including information on EDR security controls, to tailor subsequent attacks. It can execute various commands through regsvr32, rundll32, msiexec, or process hollowing. The malware establishes persistence through scheduled tasks and registry modifications. Recent campaigns have targeted victims through external Microsoft Teams calls impersonating IT helpdesks, leading to potential ransomware compromises. Author: AlienVault
Related Tags:
T1218.010
maas
Matanbuchus
T1059.001
T1059.003
T1518
ransomware
Microsoft Teams
T1078
Associated Indicators:
2EE3A202233625CDCDEC9F687D74271AC0F9CB5877C96CF08CF1AE88087BEC2E
0F41536CD9982A5C1D6993FAC8CD5EB4E7F8304627F2019A17E1AA283AC3F47C
211CEA7A5FE12205FEE4E72837279409ACE663567C5B8C36828A3818AABEF456
DA9585D578F367CD6CD4B0E6821E67FF02EAB731AE78593AB69674F649514872
1FF08496B459903ACAF475AD39D0387E44B4D721
15E5F79A70D9FC6C92931211A09101D892E7CF93
DF8E256D04CA10E52CE21F021F032FD182615F68
6CC7D7E83200F90ED53E01AFC1D0305579EF538E
A54FD38B7C6E421A7A0C68E763B69FCB