Google Drive as a Distribution Method for Matanbuchus Malware

Initially launched in February 2021, Matanbuchus is a malware-as-a-service (MaaS) available on Russian-speaking cybercrime forums.

Similar to other malware loaders like BazarLoader, Matanbuchus is a malicious software that is designed to download and run second-stage executable files from command and control (C&C or C2) servers without detection. According to Matanbuchus’ author, the malware has the ability to launch a .exe or .dll file in memory, run custom PowerShell commands, and more.

Abnormal recently observed a new approach to delivering the malware loader. Combining more convincing social engineering tactics with legitimate infrastructure—in this case Google Drive—threat actors are able to launch an attack that is significantly more difficult to detect.

In June 2022, Abnormal was able to detect an email purportedly sent from a teacher from a well-known district school. Using a hijacked thread, the attackers were able to leverage the teacher’s identity and the real school at which she worked as a way to avoid detection. Additionally, the email account used for the delivery of this mail comes from a legitimate domain that is presumed to have been compromised.

The attackers took advantage of multiple elements to not only create an appearance of credibility to fool targets but also obfuscate the malware to bypass email security. The diagram below shows the flow of the attack detected by Abnormal up to the point of downloading the Matanbuchus malware, which would eventually download another family of malware like Cobalt Strike.

The impersonated party in this attack is a teacher who is employed by the district school and is also a member of a group that supports the school community. The attack begins with the hijacked thread from the teacher inviting recipients to participate in the next community meeting. The message includes a Google Drive URL, which the threat actor claims is a link to a document related to the event.

This Google Drive link downloads a zip file with a LNK file inside.

Within its properties, the LNK file has the command-line argument that it needs to initiate the second stage.

Only a small snippet of the target path is visible; however, the command-line argument extends beyond what the victim can see.

The first step in this argument is to create the hP folder and then check the internet connection pinging Mh4m[.]com and 4umz[.]com. The malicious file uses clean URLs so as not to be detected as suspicious network traffic.

The second step in the argument is to download a second file, using curl, from https://re9cred[.]com/N9tIgZB/Wq[.]png. The file uVbU.UEMX.pafB is saved in the hidden directory ..\AppData\Roaming\hP, which makes it imperceptible to the victim.

The second file is running with regsvr32. The malicious file has different domains to reach out to download a third file and increase the download success.

The file establishes a connection with the C2 telemetryreporting[.]com and IP 31[.]41[.]244[.]234 and downloads the malware Matanbuchus. All of the network traffic is using base64 encoding as an anti-detection technique.

Matanbuchus malware is saved in the hidden directory ..\AppData\Local\9e0a with the name x86.nls.

After downloading the malware, the connection with the C2 31[.]41[.]244[.]230 is still sending the same information from the host to maintain the established connection.

As we saw before, the traffic is encoded in base64.

In this case, after decoding the base64 we can see different arguments, potentially related to the victim's configuration system.

The threat actors used a powerful combination of tactics to launch this attack: impersonating an actual teacher at a well-known school, exploiting a legitimate domain, leveraging Google Drive as the infrastructure, and using a sophisticated malware loader. Because the foundation of the attack is legitimate elements, it enables the threat actors to more easily fool the target and execute the multi-stage attack.

In addition, the technique of decoding malicious code in memory makes it more difficult for security systems to detect the malware. A traditional email security platform would be incapable of stopping an attack with this level of complexity. Effectively blocking these kinds of attacks requires a solution designed specifically to detect these indicators of compromise.