Select Page

A malware-as-a-service (Maas) dubbed Matanbuchus has been observed spreading through phishing campaigns, ultimately dropping the Cobalt Strike post-exploitation framework on compromised machines.

Matanbuchus, like other malware loaders such as BazarLoaderBumblebee, and Colibri, is engineered to download and execute second-stage executables from command-and-control (C&C) servers on infected systems without detection.

Available on Russian-speaking cybercrime forums for a price of $2,500 since February 2021, the malware is equipped with capabilities to launch .EXE and .DLL files in memory and run arbitrary PowerShell commands.

The findings, released by threat intelligence firm Cyble last week, document the latest infection chain associated with the loader, which is linked to a threat actor who goes by the online moniker BelialDemon.

“If we look historically, BelialDemon has been involved in the development of malware loaders,” Unit 42 researchers Jeff White and Kyle Wilhoit noted in a June 2021 report. “BelialDemon is considered the primary developer of TriumphLoader, a loader previously posted about on several forums, and has experience with selling this type of malware.”

images from Hacker News