For US$2,500, threat actors can employ Matanbuchus, a malware-as-a-service (MaaS) package found delivering Cobalt Strike beacons through phishing and spam messages. Cobalt Strike is a powerful security tool that threat actors are increasingly using as a reconnaissance and post-exploitation weapon.

Our researchers obtained a list of indicators of compromise (IoCs) and email domains used in phishing campaigns. Using Threat Intelligence Platform (TIP), we analyzed and expanded them in this report. Our findings include:

• Eleven out of 13 email domains used in Matanbuchus-related phishing either had no mail exchanger (MX) server or Domain-Based Message Authentication, Reporting, and Conformance (DMARC) configured
• Most of the email domains had problematic Secure Sockets Layer (SSL) and name server configurations
• 600+ connected domains via the IoC domains’ WHOIS records and text strings, and the email domains’ MX records
• Nearly 12.5% of the connected domains were malicious

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

What We Know about the IoCsth>

Four domains and four IP addresses each were tagged for directing Matanbuchus command-and-control (C&C) traffic. All of these domains were created between 10 and 12 June 2022, with Namecheap and Eranet as registrars.

On the other hand, most of the IP addresses were geolocated in the U.S., with different Internet service providers (ISPs). The table below provides some details about the IoCs that TIP revealed.

We also obtained 14 phishing emails, which yielded 13 different email domains. Running these domains on TIP, we found that only two had blacklisted MX servers, and another two were potentially dangerous due to their locations and redirects. However, most had problematic MX, SSL, and name server configurations.

Among the most glaring misconfigurations was the domain owners’ failure to set up DMARC, making the properties vulnerable to email spoofing. In fact, some of the Matanbuchus phishing emails have been spoofed, like this malware spam example provided by Malware Traffic Analysis.

Other issues that TIP detected include:

• Recently obtained SSL certificates
• Expired or no SSL certificates at all
• Name servers located in the same or single network
• Stealth or missing name servers

Legitimate organizations prioritizing cybersecurity should do their best to conform to the latest protocols, standards, and configurations. Those issued with warnings may be vulnerable to spoofing and exploitation or may not be legitimate at all.

Uncovering Potentially Connected Domainsth>

Gleaning insights from the four IoC domains’ WHOIS records and the 13 email domains’ MX servers, we uncovered 611 artifacts or connected domains. Most of these artifacts were .icu and .com domains created in June 2022 with either Namecheap or Eranet as registrar. They shared the same WHOIS characteristics as the IoC domains.

Some artifacts shared the same MX records as the phishing emails. However, we didn’t include properties that shared MX servers with more than 300 domains, as they could be using public MX servers, resulting in false positives. Only two domains potentially used public MX servers.

The artifacts also included domains created in June 2022 that contained “telemetry,” the text string used in two of the IoCs. The chart below illustrates the distribution of the artifacts.

Malicious Artifacts Alertth>

The four C&C domains and 14 phishing emails tagged in the Matanbuchus-led Cobalt Strike attack led us to more than 600 connected domains. While some of the associations could be fortuitous, TIP flagged 12.44% of the artifacts as malicious.

As a threat actor weapon, Cobalt Strike is dreadful and powerful. When combined with a MaaS like Matanbuchus and sophisticated phishing campaigns, their repercussions could be exponential. As such, we strove to shed light on this threat and its IoCs.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.