Malware Variant Delivering Cobalt Strike Beacons via Spam Campaigns
Researchers discovered that Matanbuchus, a malware loader, was available on Russian-speaking cybercrime forums for a rental price of $2500 from February 2021.
Recently, Cyble Research Labs came across a Twitter post where a researcher observed this malware spreading through spam campaigns. Additionally, it downloads Cobalt Strike Beacons as payloads in compromised systems. Figure 1 shows the infection chain of the Matanbuchus malware.
The Matanbuchus infection starts through spam emails containing a ZIP attachment. This ZIP attachment contains an HTML file.
Upon executing the HTML file, it decodes the base64 content embedded in the file and drops a ZIP file in the Downloads folder.
However, there is a code present in the HTML file which shows that the ZIP file is in the OneDrive location, as shown below.
The ZIP file contains an MSI installer file. After extraction, it shows a fake error message upon the execution of the MSI file, as shown below.
However, in the background, the MSI installer drops a Dynamic Link Library (DLL) and VBS file in the following locations.
The malware uses the VBS file to show fake error messages.
Additionally, the malware downloads another DLL file with an NLS extension from https[:]//telemetrysystemcollection[.]com in the below location. C:\Users\<Admin>\AppData\Local\x86\<4-digit Hex Value>.nls
The downloaded file is a copy of main.dll, which is another way to get the latest version of this malware from the remote server.
After dropping the DLL files, the MSI file launches regsvr32.exe and loads the malicious main.dll file to download the actual Matanbuchus malware.
The below figure shows the process chain of the MSI file.
We have taken the below sample hash for analysis : (SHA256), 14debc481aa0a26d3a0bdeed0e56b3ae9e301220f2606aae624d57a9d0617d6f
We found that the malicious binary is a 32-bit DLL file based on static analysis.
The main function of dropped DLL files (main.dll) is to act as a loader and download the actual Matanbuchus DLL from the C&C server.
Before downloading the DLL file , it calls APIs such as IsProcessorFeaturePresent(), GetSystemTimeAsFileTime() , IsDebuggerPresent(), QueryPerformanceCounter() and cpuid to ensure that the malware is not running under a controlled environment such as VMware, Sandbox, etc.
The malware executes an export function called HackCheck(), which runs a decryption loop on encrypted strings and prints the output using the OutputDebugStringA() API. The below figure shows the encrypted string and decryption code.
To establish persistence, the malware creates a scheduled task to run the 8c01.nls file with a specific function by using the following command line.
- %windir%\system32\regsvr32.exe -n -i:”UpdateСheck” “C:\Users\<Admin>\AppData\Local\x86\8c01.nls”
This scheduled task checks the malware version and downloads the latest version from the remote server every 60 seconds.
Then, the malware connects to the below URL and receives this base64-encoded response:
The malware decodes the base64 content, an XOR encrypted binary that will be decrypted using a hardcoded key FuHZu4rQgn3eqLZ6FB48Deybj49xEUCtDTAmF.
The decrypted content is the actual Matanbuchus malware that will be mapped into the same process and executed using the export function DllRegisterServer.
The below figure shows the URL, XOR key, and export function names during runtime.
The below figure shows the hardcoded strings related to Matanbuchus present in the memory of regsvr32.exe. This indicates that the actual payload is loaded and executed in the memory without ever dropping it on the disk.
The Matanbuchus payload is responsible for executing other exe payloads as well as loading and executing shellcodes and malicious DLL files.
The Matanbuchus payload connects to C&C server hxxp://collectiontelemetrysystem[.]com/cAUtfkUDaptk/ZRSeiy/requets/index.php and sends the base64-encoded POST request.
The decoded base64 content is in JSON, as shown in Figure 13.
The JSON values are encrypted using the RC4 key and encoded using base64. These will further be decrypted on the server-side. This gives the TA victim details such as MAC address, computer name, etc.
Finally, Matanbuchus malware downloads two Cobalt Strike Beacons from the C&C servers.
First Cobalt-Strike Beacon:
The malware first downloads a file “cob23_443.txt” from hxxp://144.208.127[.]245/cob23_443.txt. This is a hexadecimal binary file that will further be converted to ASCII characters and then downloads Cobalt Strike Beacons from hxxps://extic[.]icu/empower/type.tiff.
The below figure shows the network communication which downloads the first Cobalt Strike Beacon.
Second Cobalt-Strike Beacon:
After downloading the first beacon, Matanbuchus downloads a second Cobalt Strike DLL file named “cob_220_443.dll” from another URL:
The below figure shows the network communication that downloads the second Cobalt Strike Beacon.
The Matanbuchus malware executes the following C&C commands.
- Running exe
- Starting the exe with parameters
- High start exe
- RunDll32 & Execute
- Regsvr32 & Execute
- Run CMD in memory
- Run PS in memory
- MemLoadDllMain || MemLoadExe
- MemLoadShellCode #2
- Running dll in memory #2 (DllRegisterServer)
- Running dll in memory #3 (DllInstall(Install))
- Running dll in memory #3 (DllInstall(Unstall))
- Crypt update & Bots upgrade
Threat Actors use various techniques to deploy their malicious payloads into the victim’s system. In this case, we observed the TAs used Matanbuchus malware loader to deliver Cobalt Strike Beacons.
Cyble Research Labs will closely monitor the Matanbuchus malware group and other TAs and analyze them to better understand their motivations and TTPs.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Avoid downloading files from unknown websites.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solution on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|User Execution |
Command and Scripting Interpreter
|Defence Evasion||T1497||Virtualization/Sandbox Evasion|
|Lateral Movement||T1021||Remote Services|
|CNC||T1071||Application Layer Protocol|
Indicator Of Compromise (IOCs)
|Email Attachment ZIP file|
|ZIP file from HTML|
|1st Cobalt Strike Payload|
|2nd Cobalt Strike Payload|
|DLL file from XORed file|
|hxxps://extic[.]icu/empower/type.tiff||URL||1st Cobalt Strike URL|