Hackers hijack Microsoft Teams to spread malware to certain firms - find out if you're at risk

News
By published

Victims are carefully picked

Padlock against circuit board/cybersecurity background
(Image credit: Getty Images)
  • Researchers from Morphisec spotted Matanbuchus 3.0 in the wild
  • The malware serves as a loader for Cobalt Strike or ransomware
  • The victims are approached via Teams and asked for remote acccess

Security researchers are warning about an ongoing campaign leveraging Microsoft Teams calls to deploy a piece of malware called Matanbuchus 3.0.

As per cybersec outfit Morphisec, an unidentified hacking group first carefully picks its victims, and then reaches out via Microsoft Teams, posing as an external IT team.

They try to persuade the victim that they have a problem with their device and that they need to grant remote access in order to fix the issue. Since the victims are cherry-picked, there is a higher chance of success.

The protection you need against today’s evolving cyberthreats

The protection you need against today’s evolving cyberthreats

Today’s cyberthreats are more sophisticated and scams are harder to detect. That’s why we made our all-in-one security more powerful to keep you safer online. Norton 360 now with Genie AI-powered scam detection. Advanced tech for advanced threats starting at $29.99 the first year.

Preferred partner (What does this mean?)

View Deal

Expensive malware-as-a-service

Once the access is granted, usually through Quick Assist, the attackers execute a PowerShell script that deploys Matanbuchus 3.0, a malware loader that can lead to Cobalt Strike beacons, or even ransomware.

"Victims are carefully targeted and persuaded to execute a script that triggers the download of an archive," Morphisec CTO Michael Gorelik said. "This archive contains a renamed Notepad++ updater (GUP), a slightly modified configuration XML file, and a malicious side-loaded DLL representing the Matanbuchus loader."

This malware was first spotted in 2021, The Hacker News reports, where cybercriminals advertised it on Russian-speaking forums for $2,500. Since then, the malware has evolved to include new features, better communication, more stealth, CMD and PowerShell support, and more. It also apparently costs more, now having a monthly service price of $10,000 for the HTTPS version and $15,000 for the DNS version.

While the researchers do not identify the attackers, they did say that similar social engineering tactics were used in the past by a group called Black Basta to deploy ransomware.

In the past, Black Basta was one of the most dangerous ransomware operations in existence, but has since then slowly phased out. In late February this year, a cybercriminal released chat logs that detailed the inner workings of the group.

Via The Hacker News

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.