Threat researchers have discovered a new phishing campaign delivering Matanbuchus malware to drop Cobalt Strike beacons on compromised machines. Cobalt Strike is frequently used by threat actors for lateral movement and to drop additional payloads. Matanbuchus was first seen by researchers in February 2021 when it was advertised on dark web markets as a loader that launches executables directly into system memory. This new phishing campaign attempts to trick users by putting “RE:” in the subject line to make individuals feel it is from a conversation they’ve already engaged in. The emails have a ZIP attachment with an HTML file that eventually extracts an MSI package digitally signed with a valid certificate issued by DigiCert for “Westeast Tech Consulting, Corp.” In the background, two Matanbuchus payloads are dropped in two different locations, a scheduled task is created to maintain persistence across system reboots, and a Cobalt Strike payload is loaded from the Command and Control (C2) server. From there, the threat actor can perform other post-exploitation attacks.
New Phishing Attack Infects Devices with Cobalt Strike
The best way to prevent these types of attacks is to educate employees on what to look for within phishing emails and explain that HTML files may not typically be sent within an organization, which should make employees skeptical when they receive them. Using a monitoring service on endpoints, such as Binary Defense’s Managed Detection and Response, will help prevent attacks as they will be recognized quickly when they begin and quarantined before they can spread throughout a network.