Matanbuchus Malware Description
The Matanbuchus Malware is a threatening loader that is being offered in a malware-as-a-service scheme (MaaS) on underground hacker forums and marketplaces. The creator of the Matanbuchus is a threat actor operating under the name BelialDemon. According to the sales pitch, would-be clients would have to pay an initial rental price of $2500 to gain access to the threat. The malware subset known as loaders are typically threats dropped in the early stages of the attack chain, and are responsible for fetching and then executing next-stage payloads on the compromised systems. In general, Matanbuchus sticks to its role with its main nefarious capabilities being - launching of .exe and .dll files in memory, executing PowerShell commands, using schtasks.exe to tamper with task schedules, and the ability to force stand-alone executables to load a specific DLL.
Initial Attack Vector
The infosec researchers at Palo Alto Networks' Unit 42 who discovered Matanbuchus also were able to determine the means used by hackers to deliver the threat. The initial vector for the attacks is a lure Microsoft Excel document that carries corrupted macros. Threat actors have shown a continued trend leaving behind the usual weaponized Microsoft Word documents and switching to Excel files. The explanation is quite simple - the built-in characteristics of Excel allow the threat actors to distribute their corrupted code throughout the spreadsheet cells of the document, achieving a level of obfuscation and making analysis and detection that much harder. When the user executes the Excel file and enables its macros, the compromised coding with the file will fetch a DLL file named 'ddg.dll' from a specific location (idea-secure-login[.]com). The file will then be saved on the victim's system as 'hcRlCTg.dll.' This is, in fact, the DLL file of the Matanbuchus Malware.
Matanbuchus Malware's Structure
The loader threat consists of two DLL files - MatanbuchusDroper.dll and Matanbuchus.dll. As its name suggests, the primary function of the first file is to deliver the main malware file. However, in addition, it also checks the native environment for sandboxes or debugging tools via GetCursorPos, IsProcessorFeaturePresent, cpuid, GetSystemTimeAsFileTime, and QueryPerformanceCounter. The next step is to download the primary Matanbuchus DLL under the guise of an XML file named 'AveBelial.xml.' The threat activates a persistence mechanism by generating a scheduled task to run the newly dropped DLL file.
Matanbuchus attempts to blend its files within the native system by using approximations of typical system file names. For example, instead of the legitimate shell32 or shell64, the threat names its main component shell96. It should be noted that the Matanbuchus.dll is similar to the other DLL file but the hackers have spent a lot more time in equipping it with additional obfuscation and encoding techniques to mask its strings and executable code.
Users and organizations should keep an eye out for the threat as it is already being leveraged in attack campaigns across the world. So far, the Matanbuchus Malware has been deployed against several different organizations with a large US university and a high school as well as a high tech organization from Belgium being among the victims.