Hackers Exploit Microsoft Teams to Distribute Malware

Cybersecurity experts have identified an updated version of the malware loader Matanbuchus, now enhanced with advanced evasion techniques. Originally launched in 2021 as a malware-as-a-service for $2,500, Matanbuchus is used to deploy other malicious software, including Cobalt Strike and ransomware. The latest iteration, Matanbuchus 3.0, features improved communication methods, in-memory code hiding, and support for CMD and PowerShell reverse shells. It is currently marketed at $10,000 per month for the HTTPS version and $15,000 for the DNS version.

Matanbuchus 3.0 has been observed in attacks involving social engineering tactics, such as fake Microsoft Teams calls, to trick users into executing PowerShell scripts that install the malware. Once active, it gathers system information, checks for security tools, and communicates with a command-and-control server to download additional payloads. The loader employs sophisticated techniques like COM object hijacking and shellcode injection to maintain persistence and evade detection.

The malware's ability to execute commands like regsvr32 and msiexec, along with its use of LOLBins and PowerShell stagers, underscores its threat level. As malware-as-a-service evolves, Matanbuchus 3.0 exemplifies a trend towards stealthy loaders that exploit enterprise collaboration tools, posing significant challenges for cybersecurity defenses.

Stay secure — stay Wavasec. 🔐