Key findings
- How a pivot on the Whois of the C2 domains of Matanbuchus can be leveraged to anticipate future campaigns and wider threats.
- A seemingly Russia-based Bulletproof hosting service is currently used by impactful intrusion sets leveraging Matanbuchus and SocGholish malware.
- How the encrypted strings contained in the Matanbuchus DLL can be dynamically decrypted with emulation.
- TA577 could currently be a client of Matanbuchus, or just testing the solution.
Introduction
In early March, malspam campaigns were launched with the intention of deploying the Matanbuchus Loader. Intrinsec’s CTI team decided to analyse these campaigns to unveil details of the attack chain which could be leveraged to anticipate further threats. As we will later describe in this report, by analysing the infrastructure of the malware and its network communications, we were able to discover a previously unknown Autonomous System that currently hosts a wide range of other malicious activities.
Intrinsec’s CTI services
Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.
For this report, shared with our clients in July 2023, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.
Intrinsec also offers various services around Cyber Threat Intelligence:
- Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through:
-
- an operational feed of IOCs based on our exclusive activities.
- threat intel notes & reports, TIP-compliant.
-
- Digital risk monitoring:
-
- data leak detection & remediation
- external asset security monitoring (EASM)
- brand protection
-
For more information, go to www.intrinsec.com/en/cyber-threat-intelligence/.