These days, a new phishing malware known as Matanbuchus is doing the rounds. Security researchers claim that the malware is dropping Cobalt Strike on compromised devices during the phishing attack.
What is a Cobalt Strike?
- In order to carry out a successful phishing attack, the attackers use Cobalt Strike.
- Hackers use Cobalt Strike in phishing operations for lateral movement and to drop additional payloads.
Decoding Matanbuchus
Matanbuchus was first spotted in Feb 2021 in advertisements on the dark web.
- It is a phishing malware-as-a-service (MaaS) project that launches executables directly into system memory.
- The malware’s features include launching custom PowerShell commands, leveraging standalone executables to load DLL payloads, and establishing persistence via the addition of task schedules.
How does the phishing attack take place?
- The hacker behind Matanbuchus joins an ongoing email conversation and carries a ZIP attachment that contains an HTML file.
- It then extracts an MSI package digitally signed with a valid certificate issued by DigiCert for "Westeast Tech Consulting, Corp."
- Running the MSI installer initiates an Adobe Acrobat font catalog update that ends with an error message.
- Two Matanbuchus DLL payloads are dropped in two different locations connected to hackers’ C2 server.
- Lastly, Matanbuchus loads the Cobalt Strike payload from the C2 server.
Conclusion
Malware-based phishing attacks like Matanbuchus are becoming more common. It’s imperative for organizations to deploy anti-phishing and anti-spam solutions to defend the systems when harmful messages arrive. Employees’ education and awareness campaigns can further help prevent phishing attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/abab_shutterstock_1788902342.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/1e2c_shutterstock_716818132.jpg)
