Matanbuches Malware That Selling For $2500 in Dark-Web Re-Appeared via BeliaDemon Hackers

Matanbuches malware that is distributing over the dark web via Malware-as-a-Service (MaaS) now reappeared via a spear-phishing campaign with malicious attachments.

Malware is attributed to BelialDemon threat actor who is operating from a Russian-speaking cybercrime underground forum, and marketplace and selling the malware for $2500 to infect different victims around the globe including large universities and high schools, also tech organizations.

Matanbuches loader has recently been observed via spam campaigns with the malicious .HTML attachment embedded with base64 and is written in Javascript and HTML language.

Upon the successful execution on the victim’s system, it downloads additional payloads from the C2 servers, including the infamous cobalt strike beacon payload.

Matanbuches Malware Execution Process

Initially, The spear-phishing email campaign was delivered to the victims with a malicious .HTML Attachment that posed as a legitimate scanned copy with the use of the Onedrive icon to convince the victims.

Researchers from CYFIRMA exclusively reported to Cyber Security News “the email contains a malicious attachment in .HTML format having embedded base64 which on execution drops a zip file. Upon clicking the HTML attachment, it drops a zip archive file and this zip file contains an MSI file. On executing the MSI file, it shows the fake Adobe error message to the user while dropping the malicious dll file in the background..”

Inside, a malicious ZIP file has embedded with the base64 format Javascript named Scan-23112.zip upon a successful click on the file leads to drop a ZIP file in the download folder and execute the Matanbuches malware in the victim’s system.

Further analysis reveals the MSI installer file that has been packed inside of the dropped zip file, also MSI file has a digital signature that has been revoked later.

Upon the MSI file execution, it pretends to configure the Adobe Front Pack version and throws a fake error message.

But the victims were unaware of the background process where the MSI file creates the AdobeFontPack folder and dropped Two files.

Soon after the MSI file loads the main.dll, it establishes a connection with the C2 server and downloads another malware that is Cobalt Strike Beacon payload that will perform post-exploitation activities such as executing PowerShell scripts, logging keystrokes, taking screenshots, downloading files, and spawns other payloads.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.