December 2, 2023

A threat actor named BelialDemon, who is a member of several underground forums and is offering Malware-as-a-Service (MaaS). the actor had advertised a new MaaS named Matanbuchus Loader, charging a basic rental price of $2,500.

Threat Vector

  • BelialDemon is involved in the development of malware loaders and is considered the main developer of a loader, TriumphLoader. The threat actor has experience with selling such threats.
  • In underground forum, the attacker was particularly looking to recruit three people as part of its MaaS offering.
  • The sample of Matanbuchus led to the discovery of a file in the wild, ddg[.]dll, that is actively dropped via hxxp://idea-secure-login[.]com and then saved locally as hcRlCTg[.]dll.

Matanbuchus 

BelialDemon operators follow a biblical theme for its name. The word Belial and the name of the loader Matanbuchus, stem from the Ascension of Isaiah.

Matanbuchus can launch an EXE or DLL file in memory, leverage schtasks.exe to add or modify task schedules, and launch custom PowerShell commands, among other capabilities.

Attackers use a Microsoft Excel document as the initial vector to drop the Matanbuchus Loader DLL. When the Excel document is opened, it asks users to enable macros to view the content dropping Matanbuchus.dll and making API calls

Final Thoughts

At present, the malware loader is available for purchase at underground marketplaces. Therefore, to protect from such threats, experts recommend using genuine threat intelligence solutions to strengthen the defenses of organizations

Tags:

Leave a Reply

You may have missed

CISA KEV Update Part I – December 2023

December 1, 2023

Dollar Tree Affected by a Third Party Breach

December 1, 2023

Apple Patches iOS zerodays – CVE-2023-42916 and CVE-2023-42917

December 1, 2023

TheCyberThrone Security Week In Review – November 25, 2023

November 30, 2023

BlueVoyant Acquires Conquest Cyber

November 30, 2023

Google Fixes Sixth Chrome ZeroDay of 2023

November 29, 2023
%d bloggers like this: