Matanbuchus Malware Uses Google Drive Link in Phishing Attack

Matanbuchus Malware Attack Uses Google Drive

Matanbuchus Malware Uses Google Drive Link in Phishing Attack

You’ve probably never heard of Matanbuchus malware but you need to know about it and how it is using Google Drive and other legitimate infrastures to worm its way into your network. This cyber security risk first surfaced in February 2021, but recently, a cyber criminal used Google Drive to launch an attack that is significantly more difficult to detect than most others.

At its core, Matanbuchus  is malware-as-a-service (MaaS) that uses a contact form to infiltrate infrastructures. For instance, Matanbuchus uses Google Drive to download and run executable files without detection from command and control servers.  It delivers the malware loader with convincing social engineering tactics that trick users into thinking the malware file is part of their legitimate Google Drive infrastructure. 

In a June 2022 attack, the threat actor succeeded in hijacking a well-known school district’s teacher’s email thread and using it to leverage the teacher’s identity as well as the real school at which she worked as a way to avoid detection. The email thread was then used to deliver a compromised email through a legitimate domain, in this case Google Drive.

The cyber criminals used the multiple elements to create the appearance of legitimacy and fool targets while obfuscating the malware to bypass email security. Here is how it works:

  • You receive an email from a familiar domain, such as the teacher’s email or school district website.
  • The email contains a link from a legitimate infrastructure provider, such as Google Drive.
  • Clicking that link downloads the malware to your computer through coding that diverts the downloader from the legitimate location (Google Drive) to another location and file. 
  • Once the initial Matanbuchus malware is installed on your device, it can download other malware, as well.

In the recent incident reported by Abnormal, criminals impersonated the teacher and sent an email inviting members of a school community group to participate in a community meeting with a link to a document related to the event. The scam used the teacher’s email and school district name to seem credible and trick users. Using Google Drive (or another legitimate infrastructure) to deliver the link was an attempt to bypass email security rules. Once the link was clicked, a domino effect began with malicious files downloading from multiple domains to increase the download success.

Make sure your team knows not to trust email links simply because they look like they’re from someone they know or from a familiar infrastructure. This should be part of your overall phishing prevention and cyber security training.

Matanbuchus Malware and More

Intrust IT has been helping businesses with cyber security and managed IT support for decades. Contact us or book a no obligation meeting. We are here to help.

Posted in
Dave Hatter

Dave Hatter

Dave Hatter (CISSP, CCSP, CCSLP, Security+, Network+) is a cyber security consultant, writer, educator and on-air media contributor. See hundreds of Dave’s expert interviews on cyber security on his YouTube channel, or tune in to 55KRC every Friday morning at 6:30 for his “Tech Friday” segment.

Share this Blog

Not Sure Where To Start Looking for an MSP?

Our Managed IT Checklist will help you choose the right IT provider.

Get the checklist

Explore the Latest Trends in IT

Google Workspace Vulnerability Risk Assessment

Google Workspace Vulnerability Risk Assessment

Have you or your company considered going through a Google Workspace vulnerability risk assessment? You wouldn’t be the first to...
social engineering threat trends

Don’t Be Fooled by These Social Engineering Threat Trends

Social engineering is the primary cause of cyberattacks today, so it is critical to keep your team informed of the...
Intrust Nine Days Away from Keyboard Initiative

Nine Days Away From Keyboard Initiative

At Intrust IT, we understand the importance of taking time off to recharge and refresh, just like Ferris Bueller did...
9 Phishing Scam Prevention Tips

9 Phishing Scam Prevention Tips

If you’ve been on the Internet or working at a desk job, you’ve likely heard the term “phishing” thrown around...
Azure vs Aws

Azure vs AWS: Which Should I Choose?

The Azure vs AWS debate is a complex one to handle. You’re likely thinking about which cloud architecture of the...
Cloud Organization Tips

8 Best Cloud Organization Tips (And Why You Should Use Them)

The cloud makes it easy to share, store and manage files, but without routine maintenance, it can become messier than...