Matanbuchus Malware Uses Google Drive Link in Phishing Attack

Matanbuchus Malware Uses Google Drive Link in Phishing Attack

You’ve probably never heard of Matanbuchus malware but you need to know about it and how it is using Google Drive and other legitimate infrastures to worm its way into your network. This cyber security risk first surfaced in February 2021, but recently, a cyber criminal used Google Drive to launch an attack that is significantly more difficult to detect than most others.

At its core, Matanbuchus  is malware-as-a-service (MaaS) that uses a contact form to infiltrate infrastructures. For instance, Matanbuchus uses Google Drive to download and run executable files without detection from command and control servers.  It delivers the malware loader with convincing social engineering tactics that trick users into thinking the malware file is part of their legitimate Google Drive infrastructure. 

In a June 2022 attack, the threat actor succeeded in hijacking a well-known school district’s teacher’s email thread and using it to leverage the teacher’s identity as well as the real school at which she worked as a way to avoid detection. The email thread was then used to deliver a compromised email through a legitimate domain, in this case Google Drive.

The cyber criminals used the multiple elements to create the appearance of legitimacy and fool targets while obfuscating the malware to bypass email security. Here is how it works:

• You receive an email from a familiar domain, such as the teacher’s email or school district website.
• The email contains a link from a legitimate infrastructure provider, such as Google Drive.
• Clicking that link downloads the malware to your computer through coding that diverts the downloader from the legitimate location (Google Drive) to another location and file. 
• Once the initial Matanbuchus malware is installed on your device, it can download other malware, as well.

In the recent incident reported by Abnormal, criminals impersonated the teacher and sent an email inviting members of a school community group to participate in a community meeting with a link to a document related to the event. The scam used the teacher’s email and school district name to seem credible and trick users. Using Google Drive (or another legitimate infrastructure) to deliver the link was an attempt to bypass email security rules. Once the link was clicked, a domino effect began with malicious files downloading from multiple domains to increase the download success.

Make sure your team knows not to trust email links simply because they look like they’re from someone they know or from a familiar infrastructure. This should be part of your overall phishing prevention and cyber security training.

Matanbuchus Malware and More

Intrust IT has been helping businesses with cyber security and managed IT support for decades. Contact us or book a no obligation meeting. We are here to help.