Beware: Matanbuchus 3.0 Malware Spreads via Microsoft Teams Calls

Malware Deployment via Microsoft Teams

The Matanbuchus malware loader has recently emerged as a significant threat, utilizing Microsoft Teams as a delivery method. Attackers impersonate IT helpdesk personnel to lure victims into executing malicious scripts, leading to the installation of the malware on their systems. This method has proven effective due to the legitimacy and familiarity of Teams in corporate environments, increasing the likelihood of success in targeted attacks.

Image courtesy of BetaNews

Technical Details of Matanbuchus 3.0

Matanbuchus 3.0 has evolved considerably since its inception, now incorporating advanced techniques for delivery and execution. The malware is distributed through a ZIP archive that contains a renamed Notepad++ updater, a modified configuration XML file, and a malicious side-loaded DLL acting as the loader. Once installed, Matanbuchus retrieves its instructions from a command-and-control (C2) server, enabling it to execute further attacks, including ransomware deployment.

According to Morphisec, the malware loader now employs a 256-bit Salsa20 encryption scheme for communication, making detection more difficult. Additionally, it uses advanced obfuscation techniques and in-memory evasion tactics to avoid traditional security measures.

For a comprehensive technical analysis, refer to the Morphisec report.

Attack Vector and Social Engineering

The attackers specifically choose their victims, reaching out via Microsoft Teams under the pretense of resolving a technical issue. This targeted approach improves the chances of success as victims are more likely to comply with requests for remote access. Once remote access is granted, attackers use Quick Assist to guide users through executing the PowerShell script that deploys Matanbuchus.

Image courtesy of Morphisec

Indicators of Compromise (IOCs)

Organizations should be aware of several IOCs associated with Matanbuchus 3.0. These include:

• Hash/URL: 94.159.113[.]33 – fixuplink[.]com (Malicious C2 infrastructure)
• Malicious update location: notepad-plus-plu[.]org
• Scheduled Task Name: EventLogBackupTask

For a detailed list of IOCs, refer to the original analysis here.

Recommendations for Mitigation

To defend against threats like Matanbuchus, organizations are encouraged to adopt proactive security measures. Gopher Security’s AI-Powered Zero Trust Platform can help mitigate risks by ensuring robust access control and real-time monitoring of network traffic. Our platform integrates advanced AI authentication and micro-segmentation to create a secure environment across various endpoints and cloud services.

Explore how Gopher Security can enhance your cybersecurity posture by visiting our website.

Conclusion

Matanbuchus 3.0 represents a sophisticated evolution in malware deployment, relying on social engineering and advanced technical measures. By understanding the tactics employed and implementing comprehensive security solutions, organizations can better protect themselves against such targeted attacks. For more information on securing your environment, contact Gopher Security today.