eSentire reports a rise in Matanbuchus loader activity from May to June 2024, with malvertising redirecting users to threat actor pages to download a ZIP that deploys the loader. The loader has historically delivered secondary payloads such as Danabot, Qakbot, and Cobalt Strike, and the article emphasizes defense-in-depth, user awareness of browser-based delivery, and blocking JavaScript/VBScript from downloaded content. #Matanbuchus #Danabot #Qakbot #CobaltStrike #BelialDemon #Malvertising
Keypoints
- The Matanbuchus loader re-emerged in 2024 (MayβJune) and has been used to deploy secondary payloads such as Danabot, Qakbot, and Cobalt Strike.
- Malvertising campaigns redirect users to attacker-controlled web pages where they are instructed to download a ZIP containing Matanbuchus; in recent cases, incidents were disrupted before secondary payloads were delivered.
- eSentire assesses with moderate confidence that a new Matanbuchus delivery campaign is underway, based on overlapping tactics and infrastructure across incidents.
- Defense guidance emphasizes defense-in-depth with network, endpoint, and log monitoring, plus user education about browser-based malware delivery and malvertising.
- Recommendations include blocking downloaded JavaScript/VBScript, enabling show-file-extensions, avoiding malicious ZIPs, and tightening open-with/script handling to prevent unintended execution.
- Historical context notes Matanbuchus was first identified in 2021 by BelialDemon as MaaS, suggesting multiple actors may currently use the tool; outcomes often lead to ransomware precursors like Danabot, Qakbot, or Cobalt Strike.
MITRE Techniques
- [T1189] Drive-by Compromise β Malvertising redirects users to threat actor controlled web pages where users are instructed to download a ZIP file. βmalicious web-browser advertisements (Malvertising) were used to direct users to threat actor controlled web pages.β
- [T1204] User Execution β Malicious ZIP contents lead to deployment; βUsers were instructed to download a ZIP file from the website. Extracting and interacting with the contents of the ZIP file results in deployment of Matanbuchus.β
- [T1059.007] Command and Scripting Interpreter: JavaScript β The JavaScript file from the ZIP archive is used to download and execute an MSI payload; βUpon extracting and executing the JavaScript file from the ZIP archive, the script downloads and executes a Windows Installer package (MSI) which is used to deploy the Matanbuchus DLL payload.β
- [T1105] Ingress Tool Transfer β The loader delivers the MSI payload via a downloaded script; βthe script downloads and executes a Windows Installer package (MSI) which is used to deploy the Matanbuchus DLL payload.β
- [T1036] Masquerading β Icon masquerading is used to disguise malicious files; βIcon masquerading is a common tactics employed by threat actors to disguise malicious files.β
Indicators of Compromise
- [IP Address] Indicator β 194.67.193.205, 193.109.85.174
- [IP Address] Indicator β 8.209.103.236, 8.215.3.107
- [File Hash] Matanbuchus MSI Loader β 2981CCAE916613B8AADC9EF7F54EA5CA29A93558, and 2 more hashes
- [File Hash] Matanbuchus DLL Payload β BDB194484F54FF4DC85DF6D9CE6C61DB1580C2AA
- [URL] Fake Fund Claim URL β hxxps[://]treasuryfinance[.]org/report
Read more: https://www.esentire.com/security-advisories/matanbuchus-malware