The Matanbuchus malware loader is not new – it has been around for at least 4 years – but it has evolved into something incredibly dangerous.
Matanbuchus 3.0 has been found targeting victims as part of a ransomware attack. Described as being “highly targeted”, the cyberattack campaign uses Microsoft Teams as a delivery method for the latest version of the malware loader. The highly sophisticated attack employs a Microsoft Teams call impersonating an IT helpdesk.
Turning to such a widely used communication tool as a means of delivery makes a lot of sense. Not only is the delivery system in place, but the use of Microsoft Teams also allows for the targeting of businesses with extremely valuable data.
Security firm Morphisec describes how an attack looks, saying:
Victims are carefully targeted and persuaded to execute a script that triggers the download of an archive. This archive contains a renamed Notepad++ updater (GUP), a slightly modified configuration XML file, and a malicious side-loaded DLL representing the Matanbuchus loader. In previous campaigns from September 2024, an MSI installer was downloaded, which ultimately led to a similar flow of Notepad++ updater sideloading execution.
While on the face of things the attack is a sophisticated one – and this is a notion that stands up to a good deal of scrutiny – there are also tried-and-tested techniques from days of yore lurking beneath the surface. The configuration file that purports to be related to the Notepad++ app points to a cyber-squatted domain (notepad-plus-plu.org – note the missing s).
The fact that victims need to be convinced to take action after having been targeted suggests there are also old-school social engineering techniques at play here.
But for all of its reliance on old techniques, Matanbuchus 3.0 is advanced. Morphisec has conducted a detailed analysis and investigation into how it works, and the write-up is well worth a look.
The malware has been spotted for sale, says Morphisec’s Michael Gorelik, for a mere $10,000. This places a dangerous tool well within the reach of many. This price is related to the HTTP variant of Matanbuchus 3.0 which has been seen in active campaigns as recently as this month. The DNS version of the malware has a price tag of $15,000.
Summing up its investigatory work, Morphisec says:
The Matanbuchus 3.0 Malware-as-a-Service has evolved into a sophisticated threat. This updated version introduces advanced techniques such as improved communication protocols, in-memory stealth, enhanced obfuscation, and support for WQL queries, CMD, and PowerShell reverse shells. It collects detailed system data, including EDR security controls, to tailor subsequent attacks, which may culminate in ransomware deployment. The loader’s ability to execute regsvr32, rundll32, msiexec, or process hollowing commands underscores its versatility, making it a significant risk to compromised systems.
