Cybersecurity researchers have uncovered a new campaign where hackers are exploiting Microsoft Teams to distribute the sophisticated Matanbuchus 3.0 malware. This highly targeted attack involves impersonating IT support to gain remote access, ultimately leading to the deployment of dangerous payloads like Cobalt Strike or ransomware within organizations.

Teams Targeted: New Malware Campaign Leverages Microsoft Teams for Matanbuchus 3.0 Distribution

Security experts are sounding the alarm about a cunning new cyberattack vector: Microsoft Teams. An unidentified hacking group is meticulously selecting its victims, then initiating contact via Teams, masquerading as an external IT support team. Their objective is to convince the target that their device has an issue requiring immediate remote access for a fix. This social engineering tactic, combined with the careful selection of victims, significantly increases the likelihood of success.

Key Takeaways

• Hackers are using Microsoft Teams to impersonate IT support and trick employees into granting remote access.

• The campaign deploys Matanbuchus 3.0, a malware loader capable of delivering Cobalt Strike beacons or ransomware.

• Matanbuchus 3.0 is a sophisticated malware-as-a-service (MaaS) offering with enhanced stealth and evasion capabilities.

• Similar social engineering tactics have been previously linked to the Black Basta ransomware operation.

The Matanbuchus 3.0 Threat

Once remote access is secured, typically through tools like Quick Assist, the attackers execute a PowerShell script to deploy Matanbuchus 3.0. This malware loader is a critical first step, paving the way for more destructive payloads such as Cobalt Strike beacons or even ransomware. Morphisec CTO Michael Gorelik explained that victims are persuaded to execute a script that downloads an archive containing a renamed Notepad++ updater, a modified configuration XML file, and the malicious Matanbuchus loader DLL.

First observed in 2021, Matanbuchus has evolved significantly. The latest iteration, Matanbuchus 3.0, boasts several new features:

• Improved communication protocols

• In-memory capabilities

• Enhanced obfuscation methods

• CMD and PowerShell reverse shell support

• Ability to run next-stage DLL, EXE, and shellcode payloads

This advanced malware-as-a-service is now advertised for a monthly price of $10,000 for the HTTPS version and $15,000 for the DNS version, reflecting its increased sophistication and value to cybercriminals.

Attack Methodology and Evolution

The delivery methods for Matanbuchus have diversified over time, moving from phishing emails and compromised sites to malicious MSI installers and malvertising. The current campaign's use of Microsoft Teams represents a new, highly effective social engineering approach. Once launched, Matanbuchus 3.0 gathers system information, checks for security tools, and communicates with a command-and-control (C2) server to receive additional payloads. Persistence on the compromised system is achieved by setting up a scheduled task, often through sophisticated COM object manipulation and shellcode injection.

While the specific attackers remain unidentified, the social engineering tactics employed bear a resemblance to those previously used by the notorious Black Basta ransomware group. This ongoing evolution of malware-as-a-service, leveraging legitimate tools and advanced evasion techniques, underscores the critical need for robust cybersecurity defenses and employee awareness training.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Hackers hijack Microsoft Teams to spread malware to certain firms - find out if you're at risk, TechRadar.

• Hackers Leverage Microsoft Teams to Spread Matanbuchus 3.0 Malware to Targeted Firms, The Hacker News.