There is a new phishing spam campaign making headlines in the cybersecurity world that delivers malware onto compromised machines. The malware is initiated by a phishing attack and delivered by “Matanbuchus,” specially designed to deliver DLL payloads, launch malicious PowerShell commands, and persist via additional task schedules. The attack is highly sophisticated and makes the use of malicious MSI installer files leading to an Adobe Acrobat installer running a beacon for Cobalt Strike in the background.
The following sections delve deeper into how the latest malware attack takes place.
How Does the Latest Cobalt Strike Attack Occur?
The phishing campaign is still happening and needs careful attention. You can protect yourself from the malspam campaign by understanding how it works.
The campaign’s centerpiece is an email that poses as a reply to a previous email and hence bears the prefix, “Re:” These emails also contain a ZIP file with an HTML (Hyper Text Markup Language) file, which in turn downloads another ZIP archive. When you open the HTML document, it resembles a fake Microsoft OneDrive page and downloads a ZIP file for an MSI package. The ZIP file extracts an MSI package for one “Westeast Tech Consulting, Corp.” and is also digitally signed by DigiCert.
Once you run the MSI installer, it initiates a setup for Adobe Acrobat, updating the Adobe Acrobat font catalog that will ultimately end with an error, misdirecting the device’s owner from what is really happening. The background activity is hiding two malicious Matanbuchus DLL payloads.
These “main.dll” payloads are dropped in separate locations, and a scheduled task creates a persistence of system reboots. In addition, a connection with the C2 (Command and Control) server is established. Matanbuchus loads a payload from the C2 server, initiating the Cobalt Strike, paving the way for wider system exploitation and attacks.
The Latest Cobalt Strike Phishing Campaign Report
The Matanbuchus campaign used to deliver the Cobalt Strike was reported on May 23, 2022, by DCSO. The Deutsche Cyber-Sicherheits Organization is a German cybersecurity organization based in Berlin.
DSCO reported how they analyzed a sample found on VirusTotal and discovered the Matanbuchus campaign where both Cobalt Strike and Qakbot were delivered to their devices. The attack followed the same structure, an MSI file bearing a valid DigiCert signature. However, in their case, the certificate was issued to “Advanced Access Services LTD” with a signing date of April 26, 2022. You can read in detail about the findings of DSCO’s report here.
What are Matanbuchus and Cobalt Strike, and Why are They a Cause of Concern?
Matanbuchus is a Malware-as-a-Service (MaaS) model used in the Cobalt Strike delivery campaign. The Matanbuchus Loader model became available on the dark web in February 2021, advertised by BelialDemon for a rental price of $2500. Matanbuchus is infamous for its ability to drop second-stage malware using Command and Control servers. Cybercriminals can use it to launch .exe or .dll files, leverage schtasks.exe for modifying task schedules, and launch PowerShell commands.
A cobalt strike, on the other hand, is a penetration product. Used by white hat hackers and software testers, cobalt strike allows you to deploy beacons on any machine, allowing various functionality. Cybercriminals widely employ Cobalt Strike due to its stable nature and high customizability.
In the case of the current Matanbuchus phishing campaign, the cobalt strike attack will enable cybercriminals to harm your devices in a variety of ways, including:
- Command Executions: The threat actor can execute commands on your device and change your device’s settings.
- Key Logging: The threat actor can also use cobalt strike to log keys, i.e., monitor all keystrokes to eavesdrop on what you are typing on your device.
- File Transfer: The threat actor can also transfer confidential and personal files, documents, and more.
- Privilege Escalation: The threat actor can also escalate their privileges on your home or organization’s network, gaining entrance into the secure perimeter and causing wider harm.
How to Keep Safe From the Cobalt Strike Campaign?
By avoiding them, you can easily keep yourself safe from the Matanbuchus and Cobalt Strike attacks. You can only achieve their avoidance by familiarizing yourself with how the attack occurs. Here are a few giveaways you can look out for:
- ZIP file attachments: The campaign relies on emails posing as replies and bears the “Re.” in the subject. Furthermore, the email carries a ZIP attachment that extracts itself as an HTML file. If you come across a similar combination, you should half there as you might be heading right into the attack campaign.
- Fake OneDrive Page: If, by any chance, you open the HTML page, it is easily recognizable as a fake as it disguises itself as a OneDrive page that downloads an MSI package on your device.
- DigiCert Certificate: All the MSI files in the campaign have been issued a digital certificate by DigiCert that can be checked via the MSI file’s properties. The organization for which the certificate has been issued might be different but is signed by DigiCert only.
If you come across any of the above warning signs, you should stop further interaction with the files as you might be a victim of the latest Matanbuchus cobalt strike phishing attack campaign. Furthermore, having a sandbox to run files safely and an anti-virus product can prove significantly helpful as these can detect most malware and hidden downloads. The latest Matanbuchus malspam campaign has also been noted by threat analyst Brad Duncan. You can view his take on the cobalt strike malspam campaign here.
Cybersecurity is a great cause of concern these days for organizations and individuals alike. With the advancements in security, threat actors are also adamant about using advanced tools and methods for malicious purposes.
The latest malspam campaign is not to be taken lightly. The Matanbuchus campaign is currently ongoing and can affect your devices to cause all kinds of trouble. There has not been any official direction or recognition of the attacker behind the campaign, so it would be best to take precautionary measures and avoid emails and files resembling the attack’s pattern altogether.