A threat actor named BelialDemon, who is a member of several underground forums and is offering Malware-as-a-Service (MaaS). the actor had advertised a new MaaS named Matanbuchus Loader, charging a basic rental price of $2,500.

Threat Vector

  • BelialDemon is involved in the development of malware loaders and is considered the main developer of a loader, TriumphLoader. The threat actor has experience with selling such threats.
  • In underground forum, the attacker was particularly looking to recruit three people as part of its MaaS offering.
  • The sample of Matanbuchus led to the discovery of a file in the wild, ddg[.]dll, that is actively dropped via hxxp://idea-secure-login[.]com and then saved locally as hcRlCTg[.]dll.

Matanbuchus 

BelialDemon operators follow a biblical theme for its name. The word Belial and the name of the loader Matanbuchus, stem from the Ascension of Isaiah.

Matanbuchus can launch an EXE or DLL file in memory, leverage schtasks.exe to add or modify task schedules, and launch custom PowerShell commands, among other capabilities.

Attackers use a Microsoft Excel document as the initial vector to drop the Matanbuchus Loader DLL. When the Excel document is opened, it asks users to enable macros to view the content dropping Matanbuchus.dll and making API calls

Final Thoughts

At present, the malware loader is available for purchase at underground marketplaces. Therefore, to protect from such threats, experts recommend using genuine threat intelligence solutions to strengthen the defenses of organizations