The Matanbuchus malware loader has been distributed via social engineering on Microsoft Teams calls, impersonating IT helpdesk personnel to execute its payloads directly in memory and evade detection.
First promoted on the dark web in early 2021, Matanbuchus operates as a malware-as-a-service offering, originally priced at $2,500. In June 2022, threat analyst Brad Duncan reported its involvement in delivering Cobalt Strike beacons during a significant malspam campaign. Researchers at Morphisec identified that the latest version of Matanbuchus features enhanced evasion, obfuscation, and post-compromise capabilities. Microsoft Teams has been used by attackers in numerous instances to breach organizations over the years through deceptive tactics that facilitate the initial malware delivery.
Typically, attackers infiltrate chats and trick users into downloading a malicious file that deploys the initial payload on the system. In 2023, a researcher developed a tool exploiting software bugs to permit malware delivery from external accounts. Last year, DarkGate malware operators similarly exploited Microsoft Teams, targeting users with lax ‘External Access’ settings. According to Morphisec, operators of Matanbuchus variant 3.0 have shown a clear preference for using Microsoft Teams for initial access.
The attack begins with an external Microsoft Teams call, where the attacker poses as a legitimate IT helpdesk and convinces the target to utilize Quick Assist, a remote support tool integrated into Windows. This tool enables the attacker to gain interactive remote access and subsequently instructs the user to execute a PowerShell script. This script downloads and extracts a ZIP archive containing three files that facilitate the launch of Matanbuchus through DLL side-loading. Morphisec’s reports detail that Matanbuchus 3.0 brings numerous enhancements, including a switch in command-and-control (C2) communication and string obfuscation from RC4 to Salsa20.
The updated payloads are executed in memory and feature a new anti-sandbox verification routine to ensure operation only in specified locales. Instead of typical Windows API function calls, the malware uses syscalls via custom shellcode, bypassing conventional API wrappers and EDR hooks.
Actions that security tools regularly monitor are obscured further using the ‘MurmurHash3’ non-cryptographic hash function, complicating reverse engineering and static analysis. Regarding post-infection capabilities, Matanbuchus 3.0 can execute CMD commands, PowerShell, or EXE, DLL, MSI, and shellcode payloads.
The malware gathers details such as username, domain, OS build information, running EDR/AV processes, and the elevation status of its own process, whether it is executed as an admin or regular user. Morphisec’s analysis indicates that the malware inspects running processes to identify security applications present on the system and tailor its execution methods based on the security stack of the victim.
Researchers released a thorough technical analysis of Matanbuchus, describing its evolution into a sophisticated threat. They also provided indicators of compromise, including malware samples and the domains utilized by the malware.
