Full Report
The Matanbuchus malware loader has been seen being distributed through social engineering over Microsoft Teams calls impersonating IT helpdesk. [...]
Analysis Summary
# Tool/Technique: Matanbuchus Malware
## Overview
Matanbuchus is a sophisticated malware family that has been observed being deployed via abuse of Microsoft Teams voice calls. It has evolved to include various anti-analysis and evasion techniques.
## Technical Details
- Type: Malware family
- Platform: Windows (Implied by syscall execution referencing Windows API)
- Capabilities: Execution of various payloads (CMD, PowerShell, EXE, DLL, shellcode), extensive system information gathering, evasion of security controls using syscalls and obfuscation.
- First Seen: Not explicitly stated, but references an evolved version (3.0).
## MITRE ATT&CK Mapping
The description strongly suggests techniques related to execution, defense evasion, and discovery. Specific mappings based on described functionality:
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Use of MurmurHash3 for API obfuscation)
- T1055 - Process Injection (Implied by shellcode execution capability)
- T1036 - Masquerading (Implied by attempts to hide execution)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter (Execution of CMD, PowerShell)
- T1204 - User Execution (Initial delivery vector via Microsoft Teams voice calls)
- **TA0007 - Discovery**
- T1082 - System Information Discovery (Gathering username, domain, OS build, running EDR/AV processes)
- T1033 - System Owner/User Discovery
## Functionality
### Core Capabilities
- **Execution:** Capable of running command-line commands (`CMD`), scripts (`PowerShell`), and executing executable files (`EXE`, `DLL`), and raw `shellcode` payloads.
- **Information Gathering:** Collects crucial system details: username, domain, OS build information, running security products (EDR/AV processes), and process elevation status (admin vs. regular user).
- **Delivery Vector:** Exploited Microsoft Teams voice calls as an initial delivery vector.
### Advanced Features
- **Anti-Sandbox/Evasion:** Includes new anti-sandbox verification routines targeting specific locales.
- **Direct Syscalls:** Bypasses Windows API wrappers and EDR hooks by executing Windows API functions via custom shellcode (`syscalls`), thus hiding monitored actions.
- **API Obfuscation:** Uses the `MurmurHash3` non-cryptographic hash function to obfuscate API calls, hindering static analysis and reverse engineering.
- **Adaptive Payload Delivery:** The choice of execution methods sent from the C2 server is dependent on the victim's current security stack.
- **In-Memory Operation:** Malware is reported to be launched in memory after the initial compromise phase.
## Indicators of Compromise
- File Hashes: [Not provided in the summary]
- File Names: [Not provided in the summary]
- Registry Keys: [Not provided in the summary]
- Network Indicators: Domains used by the malware were published in the linked analysis [defanged domains are not explicitly listed in this text].
- Behavioral Indicators: Direct execution of syscalls instead of standard API calls; process checks targeting EDR/AV processes; initiation via unexpected Microsoft Teams interactions.
## Associated Threat Actors
- [Not explicitly named in the provided text, but linked to a detailed Morphisec analysis.]
## Detection Methods
- **Signature-based detection:** Detection possible based on known file hashes or specific C2 infrastructure (if known).
- **Behavioral detection:** Monitoring for direct, unprotected syscall execution bypass attempts to hook EDRs; detection of process listing targeting security tools; anomalies related to data transfer during Microsoft Teams voice activity associated with payload delivery.
- **YARA rules:** [Not provided in the summary]
## Mitigation Strategies
- **Prevention measures:** Patching and securing collaboration tools like Microsoft Teams to prevent misuse as a payload delivery mechanism.
- **Hardening recommendations:** Implementing robust endpoint detection and response (EDR) solutions capable of monitoring process injection and direct syscall utilization. Restricting user permissions where possible to limit the impact of elevation status checks.
## Related Tools/Techniques
- Other malware utilizing direct syscalls for EDR evasion (e.g., various post-exploitation frameworks).
- Other threats leveraging communication platforms (like Teams, Slack) for initial access or malware delivery.