Matanbuchus Malware Uses Google Drive Link in Phishing Attack

Matanbuchus Malware Uses Google Drive Link in Phishing Attack

You’ve probably never heard of Matanbuchus malware but you need to know about it and how it is using Google Drive and other legitimate infrastures to worm its way into your network. This cyber security risk first surfaced in February 2021, but recently, a cyber criminal used Google Drive to launch an attack that is significantly more difficult to detect than most others.

At its core, Matanbuchus  is malware-as-a-service (MaaS) that uses a contact form to infiltrate infrastructures. For instance, Matanbuchus uses Google Drive to download and run executable files without detection from command and control servers.  It delivers the malware loader with convincing social engineering tactics that trick users into thinking the malware file is part of their legitimate Google Drive infrastructure. 

In a June 2022 attack, the threat actor succeeded in hijacking a well-known school district’s teacher’s email thread and using it to leverage the teacher’s identity as well as the real school at which she worked as a way to avoid detection. The email thread was then used to deliver a compromised email through a legitimate domain, in this case Google Drive.

The cyber criminals used the multiple elements to create the appearance of legitimacy and fool targets while obfuscating the malware to bypass email security. Here is how it works:

  • You receive an email from a familiar domain, such as the teacher’s email or school district website.
  • The email contains a link from a legitimate infrastructure provider, such as Google Drive.
  • Clicking that link downloads the malware to your computer through coding that diverts the downloader from the legitimate location (Google Drive) to another location and file. 
  • Once the initial Matanbuchus malware is installed on your device, it can download other malware, as well.

In the recent incident reported by Abnormal, criminals impersonated the teacher and sent an email inviting members of a school community group to participate in a community meeting with a link to a document related to the event. The scam used the teacher’s email and school district name to seem credible and trick users. Using Google Drive (or another legitimate infrastructure) to deliver the link was an attempt to bypass email security rules. Once the link was clicked, a domino effect began with malicious files downloading from multiple domains to increase the download success.

Make sure your team knows not to trust email links simply because they look like they’re from someone they know or from a familiar infrastructure. This should be part of your overall phishing prevention and cyber security training.

Matanbuchus Malware and More

Intrust IT has been helping businesses with cyber security and managed IT support for decades. Contact us or book a no obligation meeting. We are here to help.

Posted in
Dave Hatter

Dave Hatter

Dave Hatter (CISSP, CCSP, CCSLP, Security+, Network+) is a cyber security consultant, writer, educator and on-air media contributor. See hundreds of Dave’s expert interviews on cyber security on his YouTube channel, or tune in to 55KRC every Friday morning at 6:30 for his “Tech Friday” segment.

Share this Blog

Get This Free Resource to Protect Your Business

Checklist: "14 Non-Technical Things You Can Do Today to Protect Your Business from Cyber Crime"

Trending Now: Read More From Intrust IT

2022 Inc. 5000's List

Intrust IT on 2022 Inc. 5000’s List of Fastest Growing Companies

By Tim Rettig | August 18, 2022

CINCINNATI – Intrust IT, a cyber security and IT support company, has been named on the 2022 Inc. 5000’s prestigious annual list of fastest growing companies. For the fourth time, Intrust has ranked among America’s most successful and rapidly growing private businesses. Since its establishment in 1992, the IT company has been putting the “service”…

Microsoft Office Auditing Case Study

How One Client Saved 28K with Microsoft Office 365 Auditing

By Intrust Man | June 16, 2022

We saved one client over $28,000 per year on Microsoft Office 365 licenses through our Office 365 auditing process.  Here at Intrust, almost all of our clients use Microsoft Office 365 licensing for some combination of email hosting, Office software, and Dynamics CRM. Sometimes clients who had Microsoft 365 prior to their relationship with Intrust…

Managed Microsoft 365 featured image

Managed Microsoft 365: 9 Benefits of Managed IT Services

By Tim Rettig | June 16, 2022

If you are using or considering Microsoft 365 for your business? Consider this: Managed Microsoft 365 is even better. Managed 365 means that a managed service provider (MSP) correctly configures, optimizes and provides ongoing support for your Microsoft 365 installation. Here are nine reasons why your company should partner with an MSP for your Microsoft…