Microsoft Teams Exploited to Deliver Matanbuchus Ransomware Payload

A sophisticated cyberattack campaign has emerged targeting organizations through Microsoft Teams impersonation, delivering the updated Matanbuchus 3.0 malware loader that serves as a precursor to ransomware deployment.

Security researchers at Morphisec have identified instances where attackers successfully compromised systems by impersonating IT helpdesk personnel during external Teams calls, ultimately leading to the execution of malicious scripts that deployed the advanced malware loader.

The attack methodology involves social engineering tactics where cybercriminals contact victims through Microsoft Teams, presenting themselves as legitimate IT support staff.

During these fraudulent interactions, attackers guide unsuspecting employees to activate Quick Assist and execute PowerShell scripts that initiate the malware deployment process.

This technique represents a significant evolution in attack vectors, leveraging the trust associated with familiar business communication platforms to bypass traditional security measures.

Enhanced Malware-as-a-Service Platform

Matanbuchus has evolved significantly since its initial deployment in 2021, now operating as a sophisticated Malware-as-a-Service platform with the recently released version 3.0 commanding prices of $10,000 for HTTP variants and $15,000 for DNS variants on underground markets.

The malware’s primary function involves establishing initial system compromise and facilitating the deployment of secondary payloads, including ransomware, making it a critical component in multi-stage attack chains.

The updated version incorporates advanced obfuscation techniques utilizing Salsa20 encryption with 256-bit keys, replacing the previously used RC4 algorithm.

This enhancement significantly improves the malware’s ability to evade detection while maintaining communication with command and control servers.

The loader now employs MurmurHash3 algorithms for API resolution, demonstrating the developers’ commitment to staying ahead of security detection mechanisms.

Persistence mechanisms have been substantially refined, with the malware now creating scheduled tasks through sophisticated COM manipulation and shellcode injection techniques.

The loader generates unique identifiers based on system volume serial numbers and establishes registry entries that enable continuous communication with command and control infrastructure.

This persistence strategy ensures the malware can maintain its foothold on compromised systems even after system reboots or security scans.

Advanced Technical Capabilities

The malware demonstrates sophisticated system reconnaissance capabilities, collecting extensive information about the compromised environment including security controls, system configurations, and installed applications.

Matanbuchus 3.0 specifically identifies the presence of major endpoint detection and response solutions including Windows Defender, CrowdStrike Falcon, SentinelOne, Sophos EDR, Trellix, Cortex XDR, BitDefender GravityZone EDR, ESET Enterprise Inspector, and Symantec Endpoint Detection and Response.

This intelligence gathering enables the malware to adapt its execution strategies based on the security stack present on the target system.

The loader can execute various payload types including MSI installers, DLL files, executables, and shellcode, with support for both direct execution and process hollowing techniques.

The malware impersonates legitimate applications such as Skype Desktop (version 8.69.0.77) to blend with normal network traffic during command and control communications.

Command execution capabilities include direct CMD and PowerShell command execution, WQL query support for system information gathering, and the ability to install MSI packages with administrative privileges.

The loader utilizes indirect system calls to evade detection by security solutions that monitor direct API calls, demonstrating advanced evasion techniques typically associated with state-sponsored malware.

The delivery mechanism involves cybersquatting techniques, utilizing domains such as notepad-plus-plu[.]org (missing the ‘s’ from the legitimate notepad-plus-plus.org) to host malicious update packages.

These packages contain legitimate Notepad++ updater components alongside malicious DLL files that sideload the Matanbuchus payload.

The attack chain begins with PowerShell scripts that download and execute these packages, establishing the initial compromise vector that enables further malicious activity.

Indicators of Compromise (IOCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now