|
For US$2,500, threat actors can employ Matanbuchus, a malware-as-a-service (MaaS) package found delivering Cobalt Strike beacons through phishing and spam messages. Cobalt Strike is a powerful security tool that threat actors are increasingly using as a reconnaissance and post-exploitation weapon.
Our researchers obtained a list of indicators of compromise (IoCs) and email domains used in phishing campaigns. Using Threat Intelligence Platform (TIP), we analyzed and expanded them in this report. Our findings include:
As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.
Four domains and four IP addresses each were tagged for directing Matanbuchus command-and-control (C&C) traffic. All of these domains were created between 10 and 12 June 2022, with Namecheap and Eranet as registrars.
On the other hand, most of the IP addresses were geolocated in the U.S., with different Internet service providers (ISPs). The table below provides some details about the IoCs that TIP revealed.
IP Addresses | Associated IoC Domains | Geolocation | ISP |
---|---|---|---|
144[.]208[.]127[.]245 | file location | U.S. | Shock Hosting LLC |
185[.]217[.]1[.]23 | extic[.]icu | U.S. | Panamaserver.com |
190[.]123[.]44[.]220 | reykh[.]icu | U.S. | Panamaserver.com |
213[.]226[.]114[.]15 | collectiontelemetrysystem[.]com telemetrysystemcollection[.]com | Russia | VDS |
We also obtained 14 phishing emails, which yielded 13 different email domains. Running these domains on TIP, we found that only two had blacklisted MX servers, and another two were potentially dangerous due to their locations and redirects. However, most had problematic MX, SSL, and name server configurations.
Among the most glaring misconfigurations was the domain owners’ failure to set up DMARC, making the properties vulnerable to email spoofing. In fact, some of the Matanbuchus phishing emails have been spoofed, like this malware spam example provided by Malware Traffic Analysis.
Other issues that TIP detected include:
Legitimate organizations prioritizing cybersecurity should do their best to conform to the latest protocols, standards, and configurations. Those issued with warnings may be vulnerable to spoofing and exploitation or may not be legitimate at all.
Gleaning insights from the four IoC domains’ WHOIS records and the 13 email domains’ MX servers, we uncovered 611 artifacts or connected domains. Most of these artifacts were .icu and .com domains created in June 2022 with either Namecheap or Eranet as registrar. They shared the same WHOIS characteristics as the IoC domains.
Some artifacts shared the same MX records as the phishing emails. However, we didn’t include properties that shared MX servers with more than 300 domains, as they could be using public MX servers, resulting in false positives. Only two domains potentially used public MX servers.
The artifacts also included domains created in June 2022 that contained “telemetry,” the text string used in two of the IoCs. The chart below illustrates the distribution of the artifacts.
The four C&C domains and 14 phishing emails tagged in the Matanbuchus-led Cobalt Strike attack led us to more than 600 connected domains. While some of the associations could be fortuitous, TIP flagged 12.44% of the artifacts as malicious.
As a threat actor weapon, Cobalt Strike is dreadful and powerful. When combined with a MaaS like Matanbuchus and sophisticated phishing campaigns, their repercussions could be exponential. As such, we strove to shed light on this threat and its IoCs.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign