Matanbuchus Malware Uses Google Drive Link in Phishing Attack

Matanbuchus Malware Attack Uses Google Drive

Matanbuchus Malware Uses Google Drive Link in Phishing Attack

You’ve probably never heard of Matanbuchus malware but you need to know about it and how it is using Google Drive and other legitimate infrastures to worm its way into your network. This cyber security risk first surfaced in February 2021, but recently, a cyber criminal used Google Drive to launch an attack that is significantly more difficult to detect than most others.

At its core, Matanbuchus  is malware-as-a-service (MaaS) that uses a contact form to infiltrate infrastructures. For instance, Matanbuchus uses Google Drive to download and run executable files without detection from command and control servers.  It delivers the malware loader with convincing social engineering tactics that trick users into thinking the malware file is part of their legitimate Google Drive infrastructure. 

In a June 2022 attack, the threat actor succeeded in hijacking a well-known school district’s teacher’s email thread and using it to leverage the teacher’s identity as well as the real school at which she worked as a way to avoid detection. The email thread was then used to deliver a compromised email through a legitimate domain, in this case Google Drive.

The cyber criminals used the multiple elements to create the appearance of legitimacy and fool targets while obfuscating the malware to bypass email security. Here is how it works:

  • You receive an email from a familiar domain, such as the teacher’s email or school district website.
  • The email contains a link from a legitimate infrastructure provider, such as Google Drive.
  • Clicking that link downloads the malware to your computer through coding that diverts the downloader from the legitimate location (Google Drive) to another location and file. 
  • Once the initial Matanbuchus malware is installed on your device, it can download other malware, as well.

In the recent incident reported by Abnormal, criminals impersonated the teacher and sent an email inviting members of a school community group to participate in a community meeting with a link to a document related to the event. The scam used the teacher’s email and school district name to seem credible and trick users. Using Google Drive (or another legitimate infrastructure) to deliver the link was an attempt to bypass email security rules. Once the link was clicked, a domino effect began with malicious files downloading from multiple domains to increase the download success.

Make sure your team knows not to trust email links simply because they look like they’re from someone they know or from a familiar infrastructure. This should be part of your overall phishing prevention and cyber security training.

Matanbuchus Malware and More

Intrust IT has been helping businesses with cyber security and managed IT support for decades. Contact us or book a no obligation meeting. We are here to help.

Posted in
Dave Hatter

Dave Hatter

Dave Hatter (CISSP, CCSP, CCSLP, CISA, CISM, PMP and ITIL) is a cyber security consultant, writer, educator and on-air media contributor. See hundreds of Dave’s expert interviews on cyber security on his YouTube channel, or tune in to 55KRC every Friday morning at 6:30 for his “Tech Friday” segment.

Share this Blog

Enterprise Password Management Promo Wide

Is Your Name or Birthday a Part of Your Password?

If so, you’re a part of the 59 percent of people who don’t follow proper password hygiene. More than 70 percent of passwords are used for more than one system, meaning if cybercriminals crack one, they can access a lot more accounts.

Our free Enterprise Password Management Guide will give you the best password hygiene practices to help you secure your computer and your business.

Download the Guide

Explore the Latest Trends in IT

Cybersecurity for Small Businesses Threat Management Strategies - Intrust IT

Cybersecurity for Small Businesses: Threat Management Strategies

The threat of cybercrime looms larger than ever before. With each passing year, we witness a staggering rise in cyberattacks,...
The Crucial Role of Data Backup in Business Continuity and Disaster Recovery - Intrust IT

The Crucial Role of Data Backup in Business Continuity and Disaster Recovery

Data is the lifeblood of any modern business operation. All organizations rely heavily on digital information, from customer and financial...
What is Two Factor Authentication, and Why Does it Matter - Intrust IT

What Is Two Factor Authentication, and Why Does It Matter?

You’ve likely seen security updates on your phone or computer asking you to set up 2FA or MFA to increase...
Should Information Technology Companies Allow Workers 9 Days AFK - Intrust IT

Should Information Technology Companies Allow Workers 9 Days AFK?

At Intrust IT, we know how powerful stepping away from work can be for our employees’ well-being. We became employee-owned...
The Advantages of Opting for a Managed SOC - Intrust IT

Benefits of Continuous Cybersecurity Monitoring with a Managed Security Operations Center (SOC)

Introduction: The Importance of Robust Cybersecurity in Today's Digital Age As a leading managed service provider, we’ve seen cyber threats...
Local Government Security Breaches Are City Managers Prepared - Intrust IT

Local Government Security Breaches: Are City Officials Prepared?

Virtually every day there’s a new headline about novel cyber threats, government security breaches and municipal government cyber attacks that...