- Researchers from Morphisec have spotted Matanbuchus 3.0 in nature
- Malware serves as a cobalt strike charger or ransomware
- The victims are approached via teams and have requested remote lies
Security researchers warn against an in progress campaign taking advantage of the calls of Microsoft teams to deploy malware called Matanbuchus 3.0.
According to Cybersec’s outfit, Morphisec, an unidentified hacking group first chooses its victims, then reaches out via Microsoft teams, posing as an external computer team.
They try to persuade the victim that they have a problem with their device and that they have to give remote access to solve the problem. Since the victims are picked in the cherry, there is more chances of success.
Expensive malware as a service
Once the access has been granted, generally via fast help, the attackers perform a PowerShell script which deploys Matanbuchus 3.0, a malware charger that can lead to cobalt striking beacons, even ransomware.
“The victims are carefully targeted and convinced to execute a script that triggers the download of an archive,” said Morphisec Michael Gorelik. “This archive contains a renowned renowned ++ notepad (GUP), a slightly modified XML configuration file and a malicious side DLL representing the Matanbuchus charger.”
This malware was spotted for the first time in 2021, reports The Hacker News, where cybercriminals announced on Russian forums for $ 2,500. Since then, malware has evolved to include new features, better communication, more stealth, CMD and PowerShell support, etc. It also apparently costs more, now having a monthly service price of $ 10,000 for the HTTPS version and $ 15,000 for the DNS version.
Although researchers do not identify attackers, they said that similar social engineering tactics have been used in the past by a group called Black Basta to deploy ransomware.
In the past, Black Basta was one of the most dangerous ransomware operations that have existed, but since then has slowly removed. At the end of February of this year, a cybercrimiral published chat newspapers which detailed the internal functioning of the group.
Via The Hacker News
