Matanbuchus 3.0 is a sophisticated malware loader used primarily on Windows systems to deliver secondary payloads and enable stealthy, persistent cyberattacks. It features advanced evasion techniques, WQL query support, in-memory execution, and impersonates legitimate applications to communicate with command-and-control servers. #Matanbuchus #Morphisec #EventLogBackupTask
Keypoints
- Matanbuchus 3.0 loader is distributed mainly via social engineering campaigns involving fake Microsoft Teams calls and malicious scripts.
- The loader uses a renamed Notepad++ updater executable with side-loaded malicious DLLs and employs cybersquatting domains for delivery.
- It implements advanced API resolution using MurmurHash3 and indirect system calls, increasing stealth and evasion against detection.
- Persistent execution is achieved via COM-based scheduled tasks running the loader DLL through regsvr32 with uncommon parameters.
- The loader collects detailed system information, including EDR security controls and elevation status, to tailor follow-on payloads.
- Supports multiple post-exploitation capabilities including downloading and running MSI, EXE, DLL, and shellcode payloads, as well as remote command execution via CMD, PowerShell, and WQL queries.
- Command-and-control communications impersonate Skype desktop using encrypted HTTP POST requests over port 443 to blend with legitimate traffic.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Loader executes CMD and PowerShell commands remotely by leveraging CreateProcessW and writes scripts via NtWriteFile. (“CMD is directly executed by leveraging CreateProcessW… Powershell is directly executed by leveraging CreateProcessW”)
- [T1106] Execution through API – The malware employs regsvr32 with “-e –n –i:”user” ” to execute exported DLL functions silently without registering, reducing detection. (“The task executes regsvr32 with -e –n –i:user … this technique is not as common and less monitored”)
- [T1055] Process Injection – Matanbuchus supports process hollowing by injecting malicious payloads into suspended msiexec processes adapting to x86/x64 architectures. (“The loader will hollow a new msiexec process that it opened with suspend and will write into the process the malicious buffer”)
- [T1027] Obfuscated Files or Information – Uses Salsa20 encryption with a 256-bit key for obfuscating configuration data, C2 domains, and user agents. (“Deobfuscation … is now done through Salsa20 with a 256-bit key applied on bytes in the libcurl.dll file”)
- [T1547] Boot or Logon Autostart Execution – Persistence via scheduled task that repeatedly runs the malicious DLL through COM interfaces and shellcode injection. (“The shellcode itself … manipulates the ITaskService … registers the new task under the name of EventLogBackupTask”)
- [T1083] File and Directory Discovery – Generates volume serial-based mutex and directories for persistence and unique identification. (“It generates a mutex ‘sync’… generates a serial id folder name within APPDATA”)
- [T1497] Virtualization/Sandbox Evasion – Validates system language and avoids running under certain locales and 32-bit sandboxes by checking Wow64 status. (“Loader validates preferred language set by the system; it will abort if certain languages identified… validates it’s running under Wow64”)
Indicators of Compromise
- [Domain] Malicious update and C2 domains – notepad-plus-plu[.]org, nicewk[.]com, bretux[.]com
- [IP Address] Hosting malware components – 94.159.113[.]33 (fixuplink[.]com)
- [File Hash] Malicious library files – multiple libcurl.dll hashes including da9585d578f367cd6cd4b0e6821e67ff02eab731ae78593ab69674f649514872 and others
- [Scheduled Task] Persistence mechanism – EventLogBackupTask
- [File Name] Loader executable and archive – GenericUpdater.exe, GUP.zip, UP.zip
Read more: https://www.morphisec.com/blog/ransomware-threat-matanbuchus-3-0-maas-levels-up/