Security researchers have uncovered a new wave of targeted cyberattacks in which threat actors are leveraging Microsoft Teams to distribute Matanbuchus 3.0, a sophisticated malware loader. These attacks exploit the growing reliance on Microsoft Teams as a trusted internal communication tool, using it as a vector to bypass traditional email-based security controls and deceive victims through social engineering.
What is Matanbuchus 3.0?
Matanbuchus is a malware-as-a-service (MaaS) loader available to cybercriminals via the dark web. First observed in 2021, the malware has evolved significantly. The newly identified version 3.0 introduces several enhancements, including:
- Advanced obfuscation techniques designed to evade detection.
- In-memory execution of malicious payloads, minimizing the malware’s footprint on disk.
- Support for delivering a variety of payloads, including executables (EXEs), dynamic link libraries (DLLs), and custom shellcode.
- Sophisticated command-and-control (C2) capabilities using HTTPS and DNS, with access sold to threat actors for $10,000 to $15,000 per month.
Matanbuchus is used primarily as a first-stage loader, enabling attackers to deploy second-stage tools such as Cobalt Strike, data-stealing Trojans, or ransomware.
Exploiting Microsoft Teams for Malware Delivery
In this campaign, hackers initiate direct communication through Microsoft Teams—posing as internal IT personnel or support staff. These messages often involve social engineering tactics, where attackers:
- Urge users to install an “important update” or “security patch.”
- Request remote access using Microsoft’s Quick Assist tool.
- Encourage execution of malicious files or scripts under the guise of IT support activities.
These conversations may be highly convincing, often supported by spoofed profile pictures and relevant messaging to impersonate legitimate internal users or IT departments.
Once trust is established, the attacker sends a ZIP archive, typically disguised as a standard software update. This archive contains:
- A renamed legitimate tool (e.g., a Notepad++ updater).
- A concealed and malicious XML configuration file.
- A malicious DLL file that is side-loaded to initiate the Matanbuchus 3.0 loader.
Upon execution, the loader harvests system data, checks for administrative privileges, and communicates with its C2 server, enabling the attacker to deliver additional payloads.
Why Microsoft Teams is Targeted
Microsoft Teams has become an integral part of enterprise collaboration, with many organizations enabling external communication by default. Unfortunately, this trust in the platform and its perceived internal nature makes employees less cautious when interacting with contacts on Teams.
This campaign demonstrates how attackers are shifting toward exploiting trusted communication channels instead of traditional phishing emails, increasing the likelihood of social engineering success.
Associated Risks and Impact
- Highly Targeted Attacks: Campaigns are not widespread but laser-focused on high-value individuals or departments.
- Bypassing Traditional Defenses: Since Teams messages often fall outside traditional email filtering systems, organizations may fail to detect the attack early.
- Ransomware Deployment: Matanbuchus is frequently used to deploy ransomware in the final stages of an attack, increasing the potential for catastrophic data and financial loss.
