Matanbuchus Malware-as-a-Service Rented Out on Hacking Forums

The Matanbuchus Malware is a newly identified piece of Loader malware. Typically, threats of this type are not the core of hacker attacks and, instead, they are used to deliver subsequent payloads, as well as to exploit weaknesses in the system's security. In short, the Matanbuchus Malware is designed to bypass security, avoid detection, and deploy additional malware to infected devices. The malware was first discovered through advertisements published by its author, BelialDemon, on hacking forums. The criminal asks for a rental price of $2,500, and they offered limited spots to new buyers – probably an attempt to keep the payload under the radar or to make it seem even more exclusive.

According to Matanbuchus Malware's creator, the Loader is able to load payloads in the system's memory through a DLL or EXE file. It can also abuse the Windows Task Scheduler to grant the payload persistence. Furthermore, the Matanbuchus Malware can execute PowerShell commands, which open a whole new set of opportunities for the malevolent operators of the implant.

The peculiar thing about the threat's author is that this is not their first rodeo when it comes to Trojan Loaders. In the past, they have published advertisements for another custom-built loader called TriumphLoader. However, the new Matanbuchus Malware appears to be much more advanced compared to its predecessor.

Unfortunately, the Matanbuchus malware-as-a-service (MaaS) operation appears to be active already, and the criminal has found customers/accomplices. Payloads were discovered in macro-laced Microsoft Excel documents, and the massive network infrastructure behind the operation is already active. Cybersecurity experts were able to uncover a wide range of domain names, which use generic 'safe' words in their names – a basic attempt to leave the victim under the impression that they are visiting a valid domain. Some of the fake domains used by the Matanbuchus Malware appear to be:

  • Business related – login-biznesplanet.com, biznesplanet-paribabnp.com, and others.
  • Cryptocurrency related – wallet-secure.biz, wallet-secure.xyz, and others.
  • Posing as Adobe Flash updates – player-update.digital, flashupdate.digital, and others.

So far, the Matanbuchus Malware has not been observed to deploy additional malware onto compromised systems, so it is not clear what the end goal of the attackers is. However, judging by the malicious Microsoft Excel used to deliver the Matanbuchus Malware, it is likely that victims will be approached through spear-phishing emails.

You can stay protected from the Matanbuchus Malware and similar cyber threats by using reputable antivirus software and being more careful with the files and attachments you interact with.

June 18, 2021