
According to researchers at Morphisec, attackers are now exploiting Microsoft Teams calls to trick victims into installing the Matanbuchus malware loader, a tool designed to aid cybercriminals in malware attacks. Matanbuchus has been available to hackers since 2021 and enables them to push additional malicious payloads onto compromised Windows systems. Recently, Matanbuchus 3.0 was introduced, which reportedly includes significant updates that could lead to an increase in successful attacks.
In July of this year, Morphisec reported that a customer of theirs was targeted by this attack, in which they received external Teams calls from cybercriminals impersonating IT support staff, a common tactic used by scammers to trick their victims. They most likely claimed that they needed to fix something on the customer’s computer and instructed the victim to open Quick Assist, a built-in Windows tool that can be used to both receive and provide remote connections. After activating Quick Assist, the scammers could both use the tool and coach the victim through executing a script that deployed the Matanbuchus loader on their device. This attack, like many, uses social engineering to trick users into downloading a malicious file.
Once installed, the Matachbuchus malware loader gives the attackers ongoing access to the system due to its stealthy nature. It works quietly in the background, stealing information and allowing hackers to run malicious programs. Additionally, this attack uses real tools like Teams and NotePad++, allowing it to be stored in memory rather than on the hard drive, making it able to subvert common security measures.
This attack is particularly dangerous because it exploits a commonly used and trusted program: Teams. Employees are more likely to trust calls coming through Teams than regular ones, especially if the person on the other end is claiming to be from IT. It is important to always be suspicious of calls on Teams, especially any coming from unknown individuals that are outside of your organization. Your IT team will typically have a preferred method of communication, so if someone uses a different method than usual but claims to be IT, you should be suspicious. It is also important to never hand over remote access to a person that you have not verified is trustworthy. If you have any doubts, you can always hang up and contact your IT team via a verified email or phone number, and ask if the call was from them.
Use of solutions like managed privilege access will help to prevent unwanted downloads of software as well and are a good security layer to any existing tools in place.
Read our previous post here: New Scam Uses AI-Generated Travel Destinations