Threat Research

Malspam pushes Matanbuchus malware, leads to Cobalt Strike

Securonix

On 2022-06-16, researchers observed a malspam wave delivering Matanbuchus via a ZIP that contains an HTML page which decodes and downloads payloads, ultimately triggering Cobalt Strike beacons. The operation uses a signed MSI, base64-encoded payloads, and HTTPS-based downloads, with persistence via a scheduled task and multiple C2 channels. #Matanbuchus #CobaltStrike #TelemetrySystemCollection #Digicert #OneDrive #MSI

Keypoints

  • Malspam on 2022-06-16 delivered Matanbuchus using a ZIP archive that contains an HTML page used to deploy the payload. – “The email attachment is a zip archive that contains an HTML file.”
  • The HTML page pretends to be a OneDrive page but actually contains base64 text that is converted to a file for download. – “the HTML file actually contains base64 text that is converted to a file for download.”
  • The ZIP/HTML chain leads to an MSI package which pretends to install an Adobe font pack. – “MSI package pretends to install an Adobe font pack.”
  • The MSI drops Matanbuchus DLLs and retrieves additional components over HTTPS; the dropped main DLL and a second file share the same SHA256 hash. – “Both have the same SHA256 hash.”
  • Two Cobalt Strike payloads (one ASCII text file and one 32‑bit DLL) are used, with the DLL executed via regsvr32 and C2 traffic established. – “Run method: regsvr32.exe” and “First Cobalt Strike file (ASCII text)”
  • C2 activity uses multiple HTTPS domains/IPs (telemetrysystemcollection[.]com, extic[.]icu, rek y h[.]icu) and notes that some domains generate no DNS traffic. – “Note: The above Cobalt Strike activity did not generate any DNS traffic for the associated .icu domains.”

MITRE Techniques

  • [T1566.001] Phishing – Malspam campaign delivering a ZIP containing an HTML file used to deploy the MSI payload. – ‘The email attachment is a zip archive that contains an HTML file.’
  • [T1132.001] Data Encoding – The HTML page contains base64 text that is converted to a file for download. – ‘the HTML file actually contains base64 text that is converted to a file for download.’
  • [T1116] Code Signing – MSI package is signed with a certificate from Digicert. – ‘MSI extracted from the second zip archive is signed using a certificate, apparently from Digicert.’
  • [T1053.005] Windows Scheduled Task – Persistence via a scheduled task. – ‘Scheduled task to keep the Matanbuchus malware persistent.’
  • [T1059.005] Windows Script – VBScript usage to generate a fake error and drive execution. – ‘VBS file that generated the fake error message…’
  • [T1105] Ingress Tool Transfer – HTTPS-based downloads to fetch additional payloads (DLLs) after initial run. – ‘The HTTPS traffic is probably a way to update the DLL.’
  • [T1071.001] Web Protocols – C2 communications over HTTPS to external domains/IPs. – ‘Matanbuchus C2 traffic: 213.226.114[.]15 port 443 (HTTPS) – telemetrysystemcollection[.]com – GET /m8YYdu/mCQ2U9/auth.aspx’ and related HTTPS endpoints.

Indicators of Compromise

  • [SHA256 Hash] context – 72426e6b8ea42012675c07bf9a2895bcd7eae15c82343b4b71aece29d96a7b22, 6b2428fcf9e3a555a3a29fc5582baa1eda15e555c1c85d7bef7ac981d76b6068, and 5 more hashes
  • [HTML File] context – SCAN-016063.html, SCAN-026764.html, and 5 more HTML files
  • [ZIP Archive] context – SCAN-016063.zip, SCAN-026764.zip, and 5 more archives
  • [MSI Package] context – SCAN-016063.pdf.msi, SCAN-026764.pdf.msi, and 5 more MSIs
  • [Domain] context – telemetrysystemcollection[.]com, extic[.]icu, and 3 more domains
  • [IP Address] context – 213.226.114[.]15, 144.208.127[.]245, and 3 more IPs

Read more: https://isc.sans.edu/diary/rss/28752