Threat Research

Technical Analysis of Matanbuchus 3.0

ZScaler
Technical Analysis of Matanbuchus 3.0

Matanbuchus is a C++ malicious downloader/backdoor offered as MaaS since 2020 that downloads and executes second-stage payloads and supports hands-on-keyboard activity, often observed in ransomware-linked operations. Version 3.0 introduced Protobuf-based serialized network communication and extensive ChaCha20-based encryption and obfuscation methods. #Matanbuchus #Rhadamanthys

Keypoints

  • Matanbuchus is a two-module backdoor/downloader (downloader + main module) used to fetch and execute secondary payloads and enable remote hands-on-keyboard actions.
  • Version 3.0 added Protocol Buffers (Protobufs) for serialized network communication and continues to use ChaCha20 for multiple encryption operations (strings, payloads, network packets).
  • Obfuscation and anti-analysis features include encrypted strings, MurmurHash-based API resolution, junk instruction blocks, long-running busy loops, and a hardcoded expiration date.
  • Persistence is established by downloading/executing shellcode that creates a scheduled task named “Update Tracker Task” and by copying itself into an APPDATA directory with a randomized filename and mutex.
  • Network communications use HTTP(S) with encrypted Protobuf payloads and three main request types (register, get tasks, report results); many remote commands support downloading/executing EXE, DLL, MSI, shellcode, and injecting payloads into other processes.
  • Zscaler observed campaigns delivering Rhadamanthys stealer and NetSupport RAT alongside Matanbuchus, and provided SHA256 hashes and malicious domains (gpa-cro[.]com, mechiraz[.]com) as IOCs.

MITRE Techniques

  • [T1105 ] Ingress Tool Transfer – Downloads and executes payloads (EXE, DLL, MSI) from external URLs to deploy second-stage components (‘Downloads and executes an EXE payload from an external URL.’).
  • [T1055 ] Process Injection – Injects downloaded payloads or shellcode into remote processes (e.g., inject payload into a remote process or into msiexec) (‘Inject the payload into a remote process.’).
  • [T1218 ] Signed Binary Proxy Execution – Uses legitimate Windows utilities to execute payloads (rundll32, regsvr32, msiexec) to launch DLLs or MSI-based payloads (‘Execute the DLL payload with rundll32. Execute the DLL payload with regsvr32.’).
  • [T1053 ] Scheduled Task/Job – Establishes persistence by creating a scheduled task named “Update Tracker Task” that runs msiexec with the implanted payload path (‘The shellcode creates a new scheduled task with the name Update Tracker Task’).
  • [T1071 ] Application Layer Protocol – C2 and payload retrieval over HTTP(S) for command-and-control communications (‘Matanbuchus uses HTTP(S) for network communications with payloads that contain encrypted Protobufs.’).
  • [T1573 ] Encrypted Channel – Encrypts C2 messages and payloads using ChaCha20, including prepending keys/nonces to packets (‘Matanbuchus encrypts each Protobuf using ChaCha20 by generating a random key and nonce’).
  • [T1059 ] Command and Scripting Interpreter – Executes system shell commands via CMD, PowerShell, and WMI as remote task actions (‘Executes a system shell command using CMD.’; ‘Executes a system shell command using PowerShell.’; ‘Executes a system shell command using WMI.’).
  • [T1082 ] System Information Discovery – Gathers host details (hostname, username, Windows version, domain) during registration with the C2 server (‘Before requesting any tasks from the C2 server, Matanbuchus registers the compromised host by collecting and sending the following information. Hostname and username. Windows version. Windows domain name.’).
  • [T1057 ] Process Discovery – Enumerates running processes when commanded by the C2 (‘Collects the running processes on the compromised host. The list includes only the process names.’).
  • [T1021 ] Remote Services – Initial access via remote assistance (QuickAssist) and hands-on-keyboard activity to deliver the malicious MSI and execute the installer (‘The threat actor used QuickAssist (likely in conjunction with social engineering) to obtain access to the victim’s system.’).

Indicators of Compromise

  • [SHA256 ] Matanbuchus-related files and installers – 92a2e2a124a106af33993828fb0d4cdffd9dac8790169774d672c30747769455 (Matanbuchus MSI package), 3ac90c071d143c3240974618d395fa3c5228904c8bf0a89a49f8c01cd7777421 (Matanbuchus downloader module), and 2 more hashes.
  • [SHA256 ] Legitimate executable used for sideloading – 6246801035e053df2053b2dc28f4e76e3595fb62fdd02b5a50d9a2ed3796b153 (HRUpdate.exe used for sideloading the downloader module).
  • [Domain ] Malicious distribution and C2 infrastructure – gpa-cro[.]com (URL hosting malicious MSI), mechiraz[.]com (Matanbuchus C2 server / payload host).
  • [File Name ] Sideloading and payload names – HRUpdate.exe (legitimate executable used to sideload the malicious DLL downloader), Update Tracker Task (name of scheduled task used for persistence).

Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuchus-3-0

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint