From Clicks to Command: Matanbuchus 3.0 and AstarionRAT Hijack Users with Stealthy Social Engineering

When a simple click spirals into total system compromise, you know the cybercriminals are upping their game. The latest Matanbuchus 3.0 campaign is a masterclass in deception - turning everyday users into unwitting accomplices and quietly unleashing a new remote access threat, AstarionRAT. But how does a single copy-pasted command open the door to such advanced mayhem? Netcrook investigates the anatomy of this silent, multi-stage attack.

The Human Factor: ClickFix and the Art of Deception

The operation kicks off with a seemingly harmless prompt - ClickFix - asking users to paste a command into their console. This maneuver sidesteps traditional email and attachment scanning, making the victim the unwitting delivery mechanism. The command silently fetches and installs a remote MSI package using msiexec.exe, all without a single warning or visible installer window.

Stealthy Installs and Living Off the Land

Once inside, the MSI drops files into directories masquerading as legitimate security products. A mix of real and fake components - like renamed antivirus binaries and Visual C++ runtimes - camouflage the payload. Buried within is SystemStatus.dll, the new Matanbuchus 3.0 loader, which is heavily obfuscated to frustrate analysts and automated defenses alike.

The loader is a marvel of anti-analysis: junk code, encrypted strings, and external shellcode stored in encrypted blobs. It decrypts and reconstructs its next-stage modules on the fly, querying the system for security tools to adapt its tactics in real time.

Chained Execution: Lua, Sideloading, and RAT Deployment

The attack escalates with a second DLL sideloading chain, leveraging a legitimate java.exe and a malicious jli.dll embedded with a Lua interpreter. This complex routine unhooks system libraries, decrypts scripts, and loads further payloads directly into memory - culminating in the deployment of AstarionRAT.

AstarionRAT is no ordinary remote access trojan. It boasts 24 commands, from file management and credential theft to port tunneling and in-memory payload execution. Its network traffic is disguised to blend with enterprise patterns, embedding encrypted data in cookies and mimicking legitimate telemetry.

Professional Tools for Criminal Hands

Matanbuchus 3.0 represents a leap in malware commercialization. Advertised for up to $15,000 a month, it’s aimed at targeted, high-impact operations. In a documented case, attackers moved from initial access to full domain control in under 40 minutes - an alarming speed that hints at pre-ransomware staging or data theft ambitions.

Conclusion: The Invisible Enemy Within

The Matanbuchus 3.0 and AstarionRAT campaign demonstrates how cybercriminals are perfecting the art of invisibility - turning trusted tools and human naivety into powerful weapons. As attackers continue to innovate, defenders must rethink user training and detection strategies, because in this battle, the first click could be the last line of defense.

WIKICROOK

• DLL Sideloading: DLL sideloading is when attackers trick trusted programs into loading malicious helper files (DLLs) instead of the legitimate ones, enabling hidden attacks.
• Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
• Obfuscation: Obfuscation is the practice of disguising code or data to make it difficult for humans or security tools to understand, analyze, or detect.
• Reflective Loader: A reflective loader loads and executes code in memory without disk access, often used to evade detection by security tools.
• Command and Control (C2): Command and Control (C2) is the system hackers use to remotely control infected devices and coordinate malicious cyberattacks.