Unit 42 researchers shed light on Matanbuchus, a new malware-as-a-service (MaaS) from a threat actor BelialDemon and the malware’s infrastructure.
During their investigation of what they call non-traditional sources – underground marketplaces and sites, spanning from forums on the Tor network to Telegram channels and other marketplaces – they decided to take a closer look at a threat actor called BelialDemon, who is active on several underground forums and marketplaces.
Since February 2021, BelialDemon has been advertising a new malware-as-a-service (MaaS) called Matanbuchus Loader at an initial price of $2,500.
Matanbuchus is a malware loader that can execute arbitrary code, second-stage malware that is dropped or pulled from command and control (C2).
In their report, Unit 42 researchers detail the following Matanbuchus’ capabilities:
The ability to launch a .exe or .dll file in memory;
The ability to leverage schtasks.exe to add or modify task schedules;
The ability to launch custom PowerShell commands;
The ability to leverage a standalone executable to load the DLL if the attacker otherwise has no way of doing so.
According to the Unit 42 research, Matanbuchus affected various organizations in different countries, including a large university and high school in the United States and a high-tech organization in Belgium.
Unit 42 researchers discovered that the user BelialDemon was following a particular biblical theme.
Their name, Belial, and their new loader, Matanbuchus, both stem from the Ascension of Isaiah 2:4: “And Manasseh turned aside his heart to serve Belial; for the angel of lawlessness, who is the ruler of this world, is Belial, whose name is Matanbuchus.”
In their recent blog post, Unit 42 researchers shed light on Matanbuchus, BelialDemon, the malware’s infrastructure, and indicators of compromise.
This Unit 42 research highlights how threat hunting on the Dark Web can generate threat intelligence and “how small pieces of seemingly disparate data can chain together to strengthen analysis, extract indicators and improve defenses for your organization before being impacted,” researchers concluded.
For the full analysis, please refer to the full report.