Unit 42 researchers have identified a threat actor named BelialDemon, who is a member of several underground forums and is offering Malware-as-a-Service (MaaS). In February, the actor had advertised a new MaaS named Matanbuchus Loader, charging a basic rental price of $2,500.
What has happened?
Researchers from Unit 42 have discovered multiple organizations, such as large universities and high schools in the U.S., along with high-tech organizations in Belgium, being targeted by Matanbuchus.
- BelialDemon is involved in the development of malware loaders and is considered the main developer of a loader, TriumphLoader. The threat actor has experience with selling such threats.
- In the posts on the underground forum, the attacker was particularly looking to recruit three people as part of its MaaS offering.
- The sample of Matanbuchus led to the discovery of a file in the wild, ddg[.]dll, that is actively dropped via hxxp://idea-secure-login[.]com and then saved locally as hcRlCTg[.]dll.
BelialDemon operators follow a biblical theme for its name. The word Belial and the name of the loader Matanbuchus, stem from the Ascension of Isaiah.
- Matanbuchus MaaS can launch an EXE or DLL file in memory, leverage schtasks.exe to add or modify task schedules, and launch custom PowerShell commands, among other capabilities.
- Attackers use a Microsoft Excel document as the initial vector to drop the Matanbuchus Loader DLL. When the Excel document is opened, it asks users to enable macros to view the content.
- The main goal of DLL is to drop the main Matanbuchus DLL. However, before that, it makes a number of API calls usually observed in anti-debugging and anti-virtualization checks.
At present, the malware loader is available for purchase at underground marketplaces. Therefore, to protect from such threats, experts recommend using genuine threat intelligence solutions to strengthen the defenses of organizations.