A malware-as-a-service (Maas) dubbed
Matanbuchus has been observed spreading through
phishing campaigns, ultimately dropping the Cobalt Strike
post-exploitation framework on compromised machines.
Matanbuchus, like other malware loaders[1]
such as BazarLoader[2], Bumblebee[3], and Colibri[4], is engineered to
download and execute second-stage executables from
command-and-control (C&C) servers on infected systems without
detection.
Available on Russian-speaking cybercrime forums for a price of
$2,500 since February 2021, the malware is equipped with
capabilities to launch .EXE and .DLL files in memory and run
arbitrary PowerShell commands.
The findings, released by threat intelligence firm Cyble last
week, document the latest infection chain associated with the
loader, which is linked to a threat actor who goes by the online
moniker BelialDemon.
“If we look historically, BelialDemon has been involved in the
development of malware loaders,” Unit 42 researchers Jeff White and
Kyle Wilhoit noted[5]
in a June 2021 report. “BelialDemon is considered the primary
developer of TriumphLoader[6], a loader previously
posted about on several forums, and has experience with selling
this type of malware.”
The spam emails distributing Matanbuchus come with a ZIP file
attachment containing an HTML file that, upon opening, decodes the
Base64 content embedded in the file and drops another ZIP file on
the system.
The archive file, in turn, includes an MSI installer file that
displays a fake error message upon execution while stealthily
deploying a DLL file (“main.dll”) as well as downloading the same
library from a remote server (“telemetrysystemcollection[.]com”) as
a fallback option.
“The main function of dropped DLL files (‘main.dll’) is to act
as a loader and download the actual Matanbuchus DLL from the
C&C server,” Cyble researchers said[7], in addition to
establishing persistence by means of a scheduled task[8].
For its part, the Matanbuchus payload establishes a connection
to the C&C infrastructure to retrieve next-stage payloads, in
this case, two Cobalt Strike Beacons for follow-on activity.
The development comes as researchers from Fortinet FortiGuard
Labs disclosed a new variant of a malware loader called IceXLoader
that’s programmed in Nim and is being marketed for sale on
underground forums.
Featuring abilities to evade antivirus software, phishing
attacks involving IceXLoader have paved the way for DarkCrystal RAT[9]
(aka DCRat) and rogue cryptocurrency miners on hacked Windows
hosts.
“This need to evade security products could be a reason the
developers chose to transition from AutoIt to Nim for IceXLoader
version 3,” the researchers said[10]. “Since Nim is a
relatively uncommon language[11] for applications to be
written in, threat actors take advantage of the lack of focus on
this area in terms of analysis and detection.”
References
- ^
malware
loaders (flashpoint.io) - ^
BazarLoader
(thehackernews.com) - ^
Bumblebee
(thehackernews.com) - ^
Colibri
(thehackernews.com) - ^
noted
(unit42.paloaltonetworks.com) - ^
TriumphLoader
(bazaar.abuse.ch) - ^
said
(blog.cyble.com) - ^
scheduled task
(blog.qualys.com) - ^
DarkCrystal RAT
(thehackernews.com) - ^
said
(www.fortinet.com) - ^
uncommon language
(thehackernews.com)
Read more https://thehackernews.com/2022/06/researchers-warn-of-matanbuchus-malware.html
Latest News
- Michael Jackson, Olodum and the Yoruba Connection ! October 27, 2025
- The 7 Stages of British Decline — From Empire to Middle Power October 27, 2025
- NDLEA uncovers UK-bound cocaine in cream containers, Meth in water heater October 27, 2025
