Hackers hijack Microsoft Teams to spread malware to certain firms – find out if you’re at risk

Expensive malware-as-a-service

Once the access is granted, usually through Quick Assist, the attackers execute a PowerShell script that deploys Matanbuchus 3.0, a malware loader that can lead to Cobalt Strike beacons, or even ransomware.

“Victims are carefully targeted and persuaded to execute a script that triggers the download of an archive,” Morphisec CTO Michael Gorelik said. “This archive contains a renamed Notepad++ updater (GUP), a slightly modified configuration XML file, and a malicious side-loaded DLL representing the Matanbuchus loader.”

This malware was first spotted in 2021, The Hacker News reports, where cybercriminals advertised it on Russian-speaking forums for $2,500. Since then, the malware has evolved to include new features, better communication, more stealth, CMD and PowerShell support, and more. It also apparently costs more, now having a monthly service price of $10,000 for the HTTPS version and $15,000 for the DNS version.

While the researchers do not identify the attackers, they did say that similar social engineering tactics were used in the past by a group called Black Basta to deploy ransomware.

In the past, Black Basta was one of the most dangerous ransomware operations in existence, but has since then slowly phased out. In late February this year, a cybercriminal released chat logs that detailed the inner workings of the group.

Via The Hacker News

You might also like

• Top ransomware gang’s internal chat logs leaked online
• Take a look at our guide to the best authenticator app
• We’ve rounded up the best password managers