[https://tw](https://twitter.com/Intrinsec) [https://fr.l](https://fr.linkedin.com/company/intrinsec) [https://w](https://www.intrinsec.com/blog/) [https://w](https://www.intrinsec.com/blog/) [itter.com/I](https://twitter.com/Intrinsec) [inkedin.co](https://fr.linkedin.com/company/intrinsec) [ww.intrins](https://www.intrinsec.com/blog/) [ww.intrins](https://www.intrinsec.com/blog/) [ec com/bl](https://www.intrinsec.com/blog/) ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR # Table of contents Key findings ............................................................................................................................................. 3 Introduction ............................................................................................................................................. 3 I - Strategical Intelligence ........................................................................................................................ 4 1. Attribution ................................................................................................................................... 4 II - Tactical Intelligence ............................................................................................................................ 5 1. Tactics, Techniques and Procedures ........................................................................................... 5 1.1. Malspam campaign ................................................................................................................. 5 1.2. Google ads campaign .............................................................................................................. 6 2. Code Analysis ............................................................................................................................... 7 2.1. First stage JavaScript ............................................................................................................... 7 2.2. Main payload: Matanbuchus DLL ............................................................................................ 9 3. Infrastructure Analysis .............................................................................................................. 19 3.1. Finding future campaigns with Mihail Kolesnikov................................................................. 19 3.2. Hosting the Matanbuchus C2s on Russians Bulletproof Autonomous Systems ................... 20 3.2.1. Proton66 OOO – AS198953 .................................................................................... 22 3.2.2. Websites infected with SocGholish ........................................................................ 23 Conclusion ............................................................................................................................................. 25 III - Actionable content .......................................................................................................................... 26 1. Indicators of compromise.......................................................................................................... 26 2. Recommendations..................................................................................................................... 29 3. Sources ...................................................................................................................................... 29 © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR # Key findings - How a pivot on the Whois of the C2 domains of Matanbuchus can be leveraged to anticipate future campaigns and wider threats. - A seemingly Russia-based Bulletproof hosting service is currently used by impactful intrusion sets leveraging Matanbuchus and SocGholish malware. - How the encrypted strings contained in the Matanbuchus DLL can be dynamically decrypted with emulation. - TA577 could currently be a client of Matanbuchus, or just testing the solution. # Introduction In early March, malspam campaigns were launched with the intention of deploying the Matanbuchus Loader. Intrinsec’s CTI team decided to analyse these campaigns to unveil details of the attack chain which could be leveraged to anticipate further threats. As we will later describe in this report, by analysing the infrastructure of the malware and its network communications, we were able to discover a previously unknown Autonomous System that currently hosts a wide range of other malicious activities. © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR # I - Strategical Intelligence ### 1. Attribution The loader leveraged for these campaigns was named “Matanbuchus” by its developer “BelialDemon” and is currently being sold to a limited number of clients for 10,000 dollars a month on an underground forum. _Figure 1. Thread of the Matanbuchus loader on Exploit._ We believe that the main client of this loader is the **Black Basta ransomware affiliate** **TA577. This** affiliate is [known](https://redcanary.com/threat-detection-report/threats/qbot/) for having deployed **QakBot and** **Cobalt Strike for both initial access and post** [exploitation purposes. In a campaign reported](https://www.esentire.com/blog/june-2022-qakbot-campaign) by eSentire and dating from June 2022, a Cobalt Strike beacon loaded by QakBot communicated with two C2 servers (“extic[.]icu” and “reykh[.]icu”) which were also [reported](https://github.com/pr0xylife/Matanbuchus/blob/main/Matanbuchus_16.06_2022.txt) by threat researchers Pr0xylife and [Brad Duncan](https://isc.sans.edu/diary/Malspam+pushes+Matanbuchus+malware+leads+to+Cobalt+Strike/28752) in a Matanbuchus campaign from the same month. [In March 27[th], the Cryptolaemus team reported](https://twitter.com/Cryptolaemus1/status/1772757743062913152) a PikaBot and DarkGate campaign launched by TA577 that used the same techniques as a Matanbuchus campaign dating from 20 days earlier. As it can be observed on the figure below, the Excel template and the method used to download the second stage from a Samba server is the same for the two campaigns. _Figure 2. Phishing templates that were used in both campaigns operated by TA577._ © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR # II - Tactical Intelligence ### 1. Tactics, Techniques and Procedures 1.1. Malspam campaign The campaign was launched on March 7[th] and started with an Excel document attached to an email. An image on the document lures the user to click on an “Open” button to correctly display its content. Instead, it downloads and runs a JavaScript file named “Open_Document.PDF.js” hosted on a Samba server with the IP “5.252.177[.]213”. _Figure 3. Content of the Excel document._ The purpose of the JavaScript file is to download a Matanbuchus DLL named “50k.png” and hosted on “988.skins[.]com/admin/view/stylesheet/50k.png”. This DLL is saved on the disk under the name “50.cpl” and launched with the [Living of the Land](https://lolbas-project.github.io/lolbas/Binaries/Control/) binary “control.exe” for evasion purposes. Launching the malware with this process is an option advertised on the Matanbuchus thread on Exploit. Once executed, the Matanbuchus DLL communicates with two C2 addresses, “muagol[.]com/Traffic/link/posting/index.php” and “gulappa[.]com”, to send information about the infected host in a POST request. The data is encrypted and base64 encoded. It contains information like the amount of RAM on the machine, the privileges of the user, the number of CPUs, the domain name, the computer’s name, and the MAC address. _Figure 4. Content of the POST request sent to the C2 by the Matanbuchus DLL._ © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR 1.2. Google ads campaign On March 26[th], Unit42 [tweeted](https://twitter.com/Unit42_Intel/status/1772988284571877807) about a campaign abusing Google ads to push a malicious website “treasurybanks[.]org”, pretending to be an American bank that can recover unclaimed funds for the citizens of the United States. Once on the website, the user is lured to download a report on how he can claim those funds. The downloaded file is a ZIP archive named “q-report-53394.zip” containing a malicious JavaScript named “q-report-60033.js”. _Figure 5. The malicious website appears as an ad after a search on Google._ _Source:_ _[https://twitter.com/Unit42_Intel/status/1772988284571877807/photo/2.](https://twitter.com/Unit42_Intel/status/1772988284571877807/photo/2)_ Once executed by the user, the JavaScript file would download an .MSI installer that would download the main **Matanbuchus DLL. As reported by Unit42 in its tweet, a** **DanaBot executable was then** delivered on the host. The creator of Matanbuchus is indeed promoting a discount of 1,000 dollars on his loader for users that are already clients of DanaBot. The actor behind this campaign could have taken advantage of this offer as both malwares were deployed on the infected machine. _Figure 6. Message that appears on the thread of the Matanbuchus loader, where a discount is proposed for DanaBot clients._ One user on Exploit with the nickname “kaptoxa” publicly claimed that he was a client of Matanbuchus and DanaBot by complementing both malwares. Despite this information we could not associate this user to the observed campaign. _Figure 7. Comments made by the user “kaptoxa” on the Matanbuchus and DanaBot threads on the forum “Exploit”._ © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR The domain hosting the Matanbuchus DLL “sweetapp[.]page” that is downloaded by the .MSI installer, was hosted on what we believe to be a bulletproof Autonomous System based in Russia named “Komkov Vadim Aleksandrovich” (AS216234). Intrinsec’s CTI team listed the netblocks of this AS in the “Indicators of compromise” section of this report. ### 2. Code Analysis 2.1. First stage JavaScript Upon clicking on the “Open” button in the Excel table, a JavaScript file is downloaded from “\\5.252.177[.]213\share\Open_Document.PDF.js” [(VirusTotal) and executed by](https://www.virustotal.com/gui/file/c66e705f800b30f591505be1c429c2e01b7851eb60bda14767d9d871151822e5) **wscript.exe. This** script is slightly obfuscated as it mainly contains commented text about the war in Ukraine. Within these comments are actual pieces of code that will be extracted and executed later. _Figure 8. Content of the JavaScript file mainly comments._ At the very end of the file are three obfuscated functions: - One is used to retrieve the current script name, - One is used to read the file’s content, - One is used to regex the file’s content to retrieve the actual code and execute it. © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR _Figure 9. Obfuscated (left) and deobfuscated (right) parsing of the next stage script._ This next stage script contains code to download, save, and run another next stage from [“hxxps://988skins[.]com/admin/view/stylesheet/50k.png” (VirusTotal). This file is the Matanbuchus](https://www.virustotal.com/gui/url/bd66ac5f5b7f0f4f206ac2de67c38578b859c9ce6153024165cb52350b29a061) DLL, which is actually executed as a control panel file (.CPL) by passing it to control.exe as an argument. _Figure 10. Obfuscated (top) and deobfuscated (bottom) next stage script which downloads and executes Matanbuchus._ © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR [It is interesting to note that a very similar technique was described](https://embee-research.ghost.io/latrodectus-script-deobfuscation/) recently by Embee Research. This article is about a Latrodectus kill chain involving a JavaScript file filled with comments and a regex function to parse and execute relevant instructions. 2.2. Main payload: Matanbuchus DLL The main payload is a 32-bit Windows Portable Executable, compiled with Microsoft Visual C/C++ version 19. _Figure 11. Output of Detect It Easy._ Its control flow is heavily obfuscated by useless instructions, and it contains several obfuscation techniques such as dynamic API resolving, API hashing and string encryption, which we will detail later. It contains three interesting exported functions: - The entry point, - DllRegisterServer, - DllUnregisterServer. _Figure 12. Matanbuchus's exported functions._ All the other exports do not contain any analysis worthy code. First, we began by looking at the entry point, as it is the function executed when calling control.exe. By following the execution flow dynamically in the debugger, we came upon a switch-case statement based on fwdReason. © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR _Figure 13. Switch-case statement based on fdwReason._ As a reminder, fdwReason is an argument of the DllMain function. It is an unsigned integer indicating [why the DLL is being called. It can have the following values (additional information here):](https://learn.microsoft.com/en-us/windows/win32/dlls/dllmain) - 0: DLL_PROCESS_DETACH - 1: DLL_PROCESS_ATTACH - 2: DLL_THREAD_ATTACH - 3: DLL_THREAD_DETACH As the DLL is loaded by control.exe, the value for fdwReason in our case is 1. Following the execution flow, we came upon an interesting function. Its role is to call all the functions referenced within a certain address range in the data section. _Figure 14. Specific functions calling._ Among the function calls we found some interesting ones. One of those is used to retrieve a pointer to the TEB (Thread Environment Block) and stores it in a global variable. Other function calls are used to decrypt specific strings: - DllResgisterServer, the name of an export - hxxps://selevkis[.]app/useraccount.aspx, a URL - hxxps://muagol[.]com/useraccount.aspx, a URL © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR These URLs all host the same file (Matanbuchus DLL) under a different name (useraccount.aspx) mimicking an ASP.NET file name, which is usually used in the context of Microsoft IIS servers (Internet Information Services). These decrypting functions always follow the same scheme: an encrypted string construction on the stack for obfuscation, followed by the writing of this string in a global variable (.data section). Once that is done, the actual decryption is made by passing the address of the encrypted string, its length, a key and a bit shift to a function. _Figure 15. String decryption mechanism._ We were able to decrypt these strings dynamically using the debugger by setting a breakpoint right after the decrypting function is called. _Figure 16. Dynamically decrypting strings using x64dbg._ However, this function to decrypt strings is called 28 times (not only 3 times). Using the debugger, we were not able to reach these calls due to anti-debugging techniques that we were not able to bypass. _Figure 17. Example of an anti-debug technique using assembly instruction INT 3 (opcode 0xCC)._ © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR [To solve this problem and still be able to decrypt the strings, we used the emulation tool Dumpulator.](https://github.com/mrexodia/dumpulator) We were then able to run the code and get the output of the decrypting function. Here is an example of a code section we were able to emulate that place two function calls: - One to build the encrypted string, - One to decrypt it. _Figure 18. Example of a string built and decrypted._ To be able to use Dumpulator, we must begin by generating a dump of a running process containing the DLL. x64dbg contains such a feature, using the minidump command: _Figure 19. Creating a dump that will be used by Dumpulator._ Once done, all we had to do was write a script and give it the start and end addresses of the emulation. _Figure 20. Dumpulator script to decrypt a string._ © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR To go a little further, we added this functionality to an IDA plugin. Here is an extract of the code we used: _Figure 21: Extract of our IDA plugin to emulate x86 assembly using Dumpulator._ However, this did not go exactly as planned, as a call (probably anti-analysis function) in the first function call (that we called “build_enc_str”) returned an error in the emulation: © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR _Figure 22. Where we had an error during the emulation._ To fix this issue, we have replaced all the instructions contained in this function by NOP instructions (opcode 0x90). _Figure 23. NOP-ed instructions to bypass the function. Error in the image, the last instruction "POP EBP" was not actually_ _NOP-ed._ _Figure 24. Patching the dump file using HXD._ © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR Once patched, the plugin (and emulation script) could execute correctly, and we were able to decrypt the strings. _Figure 25: Using of our IDA plugin for x86 emulation based on Dumpulator to decrypt LoadLibraryA string._ The next stage was to find an easy way to locate interesting functions. To do so, we thought of creating a list of all the functions sorted by the number of times they are called. This would indeed show if an encryption or a hashing function is used many times. We then were able to write an IDA script for this purpose: _Figure 26. IDA script to list all the functions by the number of times they are called._ This enabled us to locate a function we called “resolve_hashed_api”, which is used to locate the addresses of Windows APIs from a hashed value directly within the client-side code. This technique is called API hashing. It starts by iterating over the InMemoryOrderModuleList structure of the Ldr to find the base address of the DLL which contains the API (usually kernel32.dll), then iterates over all the © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR exported functions of the DLL, computes the hash and checks it against the given value. If the hash values match, the address of the API is returned. _Figure 27. Function used to locate an API given its hashed value._ [The hashing algorithm used is called FNV-1a for Fowler-Noll-Vo. We were able to reverse the hashes](https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function) [using HashDB. Here is an example for the resolution of VirtualAlloc:](https://hashdb.openanalysis.net/) _Figure 28. Reversing VirtualAlloc's FNV-1a hash using HashDB._ © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR Below is an example of how this function is called: it receives a hash value as parameters, and its result is stored in a global variable and returned. _Figure 29. Use the resolve API function to find the address of VirtualAlloc API._ In addition to this hashing technique, a different one is used where the name of the API is decrypted using the function analysed above then the address of the API is located using the Export Directory Table of the DLL. The function takes the address of the DLL and the decrypted name of the export, locates the Export Directory Table within the DLL, and the iterates over all the exports to find a match. [Corkami’s PE102 poster was of great help to identify the different fields of the Export Directory Table.](https://github.com/corkami/pics/blob/669facbb0b6a977f959ae6473b8346e98cf23f53/binary/PE102.png) _Figure 30. Another technique used by Matanbuchus to resolve APIs dynamically._ To wrap it up, this sample was heavily obfuscated, we identified: - Control flow obfuscation, - Debugger and anti-vm traps, - API hashing, - String encryption. © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR We believe that it has the functionality to load itself by re-downloading in order to call a different export (DllRegisterServer or DllUnregisterServer). Given the exports names, we can assume that it can be launched through regsvr.exe, which would call these exports directly. About network communications, we were able to identify two main functions. One is probably used to download itself and the other to load additional components. These functions leverage Windows APIs: - InterntOpenA - InterntOpenUrlA - InternetCloseHandle - InternetOpenW - InternetReadFile - InterntOpenUrlW © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR ### 3. Infrastructure Analysis 3.1. Finding future campaigns with Mihail Kolesnikov Among the C2 that were used for the March 7[th] campaign, all domains that had a TLD in “.app” had the value “Mihail Kolesnikov” in the “Registrant Organization” field of their Whois. By pivoting on this value, we could find other domains with the same TLD: - selevkis[.]app - gulappa[.]app - musarno[.]app - modenetwork[.]app - juprewards[.]app - blastreward[.]app - somakop[.]app [Some domains like “musarno[.]app” were indeed hosting a Matanbuchus DLL (VirusTotal) and its](https://www.virustotal.com/gui/file/aa0687832273122eb77be11e11a34bc40f533e38bbbf65262a4bd8fab3987301/) control panel. At the time of writing, the domain is currently not detected on VirusTotal with a score of 0. This DLL was communicating with another domain “somakop[.]app”, with the same Registrant Organization value in its Whois information. _Figure 31. Login page of the Matanbuchus control panel hosted on one of the C2._ We already encountered the name “Mihail Kolesnikov” upon an investigation that we conducted on Snatch ransomware and that we shared with our clients the 14[th] of April 3023. Indeed, while illuminating the Snatch ransomware backend infrastructure, we found that this pseudonym registered hundreds of domains recently. A new domain related to Snatch has been registered since our first report (filesnatchcloud[.]pro). We could link a fraction of those domains with medium-high confidence to ICEDID malversing landing **domains. Our analysis suggests that the backend infrastructure of Snatch relies on a fast flux service** that frequently rotates IP addresses that we could link to other threats such as the ransomware called **RansomEXX but also the Magecart group. It could be used as (DNS) based evasion technique blending** the traffic into a pool of hosts acting as reverse proxies and shielded via bulletproof autonomous systems. © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR The pivot around **“Mihail Kolesnikov” tied to malversing phishing campaigns was then cross-** correlated by **KrebsonSecurity in a public** [article](https://krebsonsecurity.com/2023/09/snatch-ransom-group-exposes-visitor-ip-addresses/) dating from September 2023. In this paper, **Brian** **Krebs also mentions that “Mihail Kolesnikov” was used to register many phishing websites with the** same TLD “.top and .app […] to mimic the domains of major software companies”. Is also mentioned in the same article that many stealers fuelling the top tier Russian speaking ransomware ecosystem were disseminated via such campaigns. We could also find that the clear-web version of the Hunters International ransomware group’s DLS (huntersinternational[.]org) that recently emerged, was registered with the same name. Rakesh Krishnan cross-correlated that link [publicly](https://infosecwriteups.com/identity-of-hunters-international-ransomware-gang-dls-exposed-b287350a707f) the 5th of February 2023, while reporting on potential _“persona/fake identity adopted by Hunters International […] with a strong connection to Nigeria”._ [Sentinelone](https://www.sentinelone.com/anthology/hive/) [stated that Hunter’s international is a reemergence since October 2023 of the defunct](https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant) [Hive ransomware brand. The reverse malware analyst ritvina (@rivitna2)](https://twitter.com/rivitna2/status/1715345562034225621) [substantiated such](https://twitter.com/rivitna2/status/1715345562034225621) [statement](https://twitter.com/rivitna2/status/1715345562034225621) by connecting Hive ransomware V6 endowed by [sophisticated hybrid encryption](https://twitter.com/rivitna2/status/1606831626843029504) [mechanism](https://twitter.com/rivitna2/status/1606831626843029504) to the one exhibiting Hunter’s international ransom notes. [Bushidotoken assessed that “at](mailto:https://twitter.com/BushidoToken/status/1715368444806275182mailto:@BushidoToken) _least 60%” of the code was reused from Hive ransomware. Another indication of such rebrand,_ [published by Valéry Marchive, is the fact that Hunters international faked its wall of shame records](https://www.lemagit.fr/actualites/366579533/Ransomware-Hunters-International-apparait-recycler-des-donnees-volees-par-Hive) with recycled victims of Hive; this phenomenon is [often encountered](mailto:https://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/) in the ransomware ecosystem. Since “Mihail Kolesnikov” continues to register domains related to various malicious activities, following its activities could be used to anticipate the creation of C2 or phishing pages used in future campaigns, as we did with Matanbuchus to preempt ransomware attacks. 3.2. Hosting the Matanbuchus C2s on Russians Bulletproof Autonomous Systems Concerning the C2 hosting infrastructure, the threat actor used two bulletproof hosting services, “Chang Way Technologies Co. Limited” (AS57523), registered in Honk-Kong but with servers located in Russia, and “Proton66 OOO” (AS198953), registered in Russia with servers located in Russia. **AS name** **C2 domain** **C2 IP** Chang Way Technologies Co. Limited muagol[.]com 185.11.61[.]170 Chang Way Technologies Co. Limited selevkis[.]app 185.11.61[.]71 Chang Way Technologies Co. Limited gulappa[.]app 185.11.61[.]172 Proton66 OOO musarno[.]app 193.143.1[.]207 Proton66 OOO somakop[.]app 193.141.1[.]196 Proton66 OOO iseberkis[.]com 193.143.1[.]198 Proton66 OOO dumingas[.]com 193.143.1[.]197 © I t i |AS name|C2 domain|C2 IP| |---|---|---| |Chang Way Technologies Co. Limited|muagol[.]com|185.11.61[.]170| |Chang Way Technologies Co. Limited|selevkis[.]app|185.11.61[.]71| |Chang Way Technologies Co. Limited|gulappa[.]app|185.11.61[.]172| |Proton66 OOO|musarno[.]app|193.143.1[.]207| |Proton66 OOO|somakop[.]app|193.141.1[.]196| |Proton66 OOO|iseberkis[.]com|193.143.1[.]198| |Proton66 OOO|dumingas[.]com|193.143.1[.]197| ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR We will not go into much detail about “Chang Way Technologies Co. Limited”, as it already caught the [attention of threat researcher Joshua Penny in a Medium blog post that he wrote in November 2023.](https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65) In the blog post, Joshua detailed the network infrastructure of the Autonomous Systems and the various malicious activities that it allowed on its servers. Additionally, he unveiled the two names of the services offering those servers: “BEARHOST” and “UNDERGROUND”, both advertised on underground forums and Telegram. BelialDemon, the author of Matanbuchus, is indeed a long-time partner of this bulletproof hosting service. In the figure below, he gives excellent feedback on the BEARHOST thread, and also declares that he uses the service for malware hosting. _Figure 32.Message posted by BelialDemon._ They had a previous partnership on an older loader project from 2020 operated by BelialDemon and named “TriumphLoader”. On the thread of the project, BEARHOST stated that they were official partners and that all clients of TriumphLoader would get a 10% discount on all the servers offered by his service. _Figure 33. Message posted by BEARHOST._ We will instead focus on the second Autonomous System “Proton66 OOO” as we did not find much literature on its activities and infrastructure. © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR 3.2.1. Proton66 OOO – AS198953 The autonomous system was allocated under RIPE on April 6[th], 2023, and is composed of five IPv4 ranges, totalling 1280 IPv4, exclusively attributed to machines located in Saint Petersburg, Russia, which is also where the company is based. _Figure 34. Location of open services on the IPs owned by Proton66 OOO according to Shodan._ [The figure below is taken from the bgp.tools](https://bgp.tools/) IPv4 heat map, where each of the blue pixels represents a responsive IPv4 from their respective range, that was attributed to a server. _Figure 35. IPv4 ranges owned by Proton66 OOO._ © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR 2021 whois details of the ranges, connection with Resheniya LLC and Unitel LLC: _Figure 36. List of the IPv4 ranges owned by Proton66 and their respective description from 2021._ Curiously, the MX server “91.226.31[.]34” that registered the domain for the Unitel LLC website “unitele[.]ru”, also registered two domains “proton.net[.]ru” and “proton.org[.]ru”. Due to the proximity of their name with Proton66, we could assess with low confidence that both Proton66 and Unitel LLC are operated by the same entity. 3.2.2. Websites infected with SocGholish During our investigation, we observed around 400 legitimate websites redirecting to a URL hosting a JavaScript file “marvin-occentus[.]net/statistic/js/stat.js” hosted on the Proton66 owned IP, “91.212.166[.]21”, and that we believe to be the first stage for a SocGholish infection. For example, on the figure below, the website on a US-based educational had this specific URL in the source code of its main page. The “stat.js” script redirects to the domain “pluralism.themancav[.]com” that is used to fingerprint the user’s machine in order for the next stage to be displayed according to the information gathered by the script. As we described in a previous report regarding this threat, the second stage of SocGholish consists of fake Chrome or Firefox pages luring the user to update his browser by downloading an infected JavaScript file. _Figure 37. Example of a legitimate website hosting a malicious JavaScript used as a first stage for a SocGholish infection._ [Once downloaded, the fake update JavaScript file (VirusTotal) communicates with a pool of domains](https://www.virustotal.com/gui/file/2d5b7d765f63d1a470c614636d1e5ed3f19ab56e96d0f22d7531fc8bf139341b/relations) used as C2s and hosted on the same IP (166.1.173[.]27) as the domain used to display the fake page. © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR Regarding the nature of the infected websites, there seems to be no specific sector of choice, as we observed industries of all kinds having their website compromised (see “Indicators of compromise section”). The threat actor seemed to have no guilt about infecting cancer research institutes and other health related entities with the SocGholish redirector script. _Figure 38. Websites of cancer research institutes infected with the first stage of SocGholish._ Democrats’ websites Interestingly, we found two infected websites belonging to Democrats’ associations in the USA used to support upcoming elections. As we cannot clearly prove that they were specifically targeted, we can make the hypothesis with low confidence that **SocGholish could be used for both widespread** infections and more targeted ones. _Figure 39. Two websites promoting the American Democratic party infected with SocGholish._ © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR France Targeting Some specific Ips like 193.143[.]1.54 of Proton66 were hosting many phishing pages created with the Plesk service that were spoofing packages tracking services like UPS, Chronopost and the French health system “Ameli”. _Figure 40. List of domains hosted on a Proton66 owned Ipv4._ These campaigns are usually sent through SMS spamming and the groups operating those attacks tend to be services offered on Telegram. _Figure 41. Example of an SMS spam campaign targeting France._ # Conclusion As Intrinsec’s CTI team observed with the Matanbuchus campaigns, old loaders can still be relevant and used by high tier threat actors like the initial access broker TA577. Focusing on the infrastructure, part of those attacks can unveil wide networks of different threats as we described with SocGholish and the phishing pages hosted with Plesk on seemingly bulletproof Russian hosting services like Proton66 OOO. Blocking IP ranges from those Autonomous Systems can prevent initial access attempts including phishing, SEO, watering hole attacks, and further steps of an intrusion like network communications with potential command-and-control servers. © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR # III - Actionable content ### 1. Indicators of compromise **Type** 1f152aca7ccc6b207e111bd8dcae7986b0678bf2a18a a827b521ca9d68dea931 c66e705f800b30f591505be1c429c2e01b7851eb60b da14767d9d871151822e5 1ca1315f03f4d1bca5867ad1c7a661033c49bbb16c4b 84bea72caa9bc36bd98b aa0687832273122eb77be11e11a34bc40f533e38bbb f65262a4bd8fab3987301 0b0eddcb3d4378680ffd3ea0fa4fd2560543487efd19 51583ec58fb2c3743f12 6416f7b03438bc55ace26745cf5274525467747a244 9e5dfe2eb516c76c543da 30bccc3b41684ce4f0e96cd31f29cd35cb8c75352a2478 e68d39d6fc16025cf6 2d5b7d765f63d1a470c614636d1e5ed3f19ab56e96d 0f22d7531fc8bf139341b mavrin-occentus[.]net pluralism.themancav[.]com welcome.visionaryyouth[.]org © I t i |Value|Type|Description| |---|---|---| |1f152aca7ccc6b207e111bd8dcae7986b0678bf2a18a a827b521ca9d68dea931|SHA-256|“AC-7-march_2024#2849.xlsx” - Xlsx| |c66e705f800b30f591505be1c429c2e01b7851eb60b da14767d9d871151822e5|SHA-256|“Open_Document.PDF.js” - JS| |1ca1315f03f4d1bca5867ad1c7a661033c49bbb16c4b 84bea72caa9bc36bd98b|SHA-256|“50.png” – Matanbuchus - DLL| |aa0687832273122eb77be11e11a34bc40f533e38bbb f65262a4bd8fab3987301|SHA-256|“useraccount.aspx” - Matanbuchus - DLL| |0b0eddcb3d4378680ffd3ea0fa4fd2560543487efd19 51583ec58fb2c3743f12|SHA-256|SocGholish redirector - JS| |6416f7b03438bc55ace26745cf5274525467747a244 9e5dfe2eb516c76c543da|SHA-256|SocGholish first stage - “stat.js”| |30bccc3b41684ce4f0e96cd31f29cd35cb8c75352a2478 e68d39d6fc16025cf6|SHA-256|SocGholish first stage – “theme.js”| |2d5b7d765f63d1a470c614636d1e5ed3f19ab56e96d 0f22d7531fc8bf139341b|SHA-256|SocGholish second stage - “Update.js”| |147.45.47[.]87|IPv4-Addr|Hosting SocGholish JS - “theme.js”| |162.33.177[.]118|IPv4-Addr|Hosting SocGholish JS – “theme.js”| |185.11.61[.]169|IPv4-Addr|Matanbuchus - C2| |185.11.61[.]170|IPv4-Addr|Matanbuchus - C2| |185.11.61[.]171|IPv4-Addr|Matanbuchus - C2| |185.11.61[.]172|IPv4-Addr|Matanbuchus - C2| |193.143.1[.]196|IPv4-Addr|Matanbuchus - C2| |193.143.1[.]197|IPv4-Addr|Matanbuchus - C2| |193.143.1[.]198|IPv4-Addr|Matanbuchus - C2| |193.143.1[.]207|IPv4-Addr|Matanbuchus - C2| |5.252.177[.]213|IPv4-Addr|Samba server hosting the JS| |988skins[.]com|Domain-Name|Domain hosting DLL| |selevkis[.]app|Domain-Name|Matanbuchus - C2| |muagol[.]com|Domain-Name|Matanbuchus - C2| |gulappa[.]app|Domain-Name|Matanbuchus - C2| |dumingas[.]com|Domain-Name|Domain hosting DLL| |iseberkis[.]com|Domain-Name|Domain hosting DLL| |redviking[.]com|Domain-Name|Infected with SocGholish| |mavrin-occentus[.]net|Domain-Name|Redirector for SocGholish| |binder-sa[.]com|Domain-Name|Redirector for SocGholish| |aitcaid[.]com|Domain-Name|Redirector for SocGholish| |pluralism.themancav[.]com|Domain-Name|Hosting SocGholish JS| |welcome.visionaryyouth[.]org|Domain-Name|Hosting SocGholish JS| ----- |trademark.iglesiaelarca[.]com|Domain-Name|Hosting SocGholish JS| |---|---|---| |iseberkis[.]com:62478/medical/plan/oslo/posting/in dex.php|URL|Matanbuchus - C2| |somakop[.]app:62478/medical/plan/oslo/posting/in dex.php|URL|Matanbuchus - C2| |musarno[.]app:62478/medical/plan/oslo/posting/in dex.php|URL|Matanbuchus - C2| |198953|ASN|Proton66 OOO| |193.143.1[.]0/24|IPv4-Addr|Netblock owned by AS198953| |45.134.26[.]0/24|IPv4-Addr|Netblock owned by AS198953| |45.135.232[.]0/24|IPv4-Addr|Netblock owned by AS198953| |45.140.17[.]0/24|IPv4-Addr|Netblock owned by AS198953| |91.212.166[.]0/24|IPv4-Addr|Netblock owned by AS198953| |57523|ASN|Chang Way Technologies Co. Limited| |176.111.174[.]0/24|IPv4-Addr|Netblock owned by AS57523| |185.11.61[.]0/24|IPv4-Addr|Netblock owned by AS57523| |185.122.204[.]0/24|IPv4-Addr|Netblock owned by AS57523| |185.198.69[.]0/24|IPv4-Addr|Netblock owned by AS57523| |185.234.216[.]0/24|IPv4-Addr|Netblock owned by AS57523| |185.81.68[.]0/24|IPv4-Addr|Netblock owned by AS57523| |188.119.66[.]0/24|IPv4-Addr|Netblock owned by AS57523| |194.26.135[.]0/24|IPv4-Addr|Netblock owned by AS57523| |45.93.20[.]0/24|IPv4-Addr|Netblock owned by AS57523| |62.122.184[.]0/24|IPv4-Addr|Netblock owned by AS57523| |85.209.11[.]0/24|IPv4-Addr|Netblock owned by AS57523| |87.247.158[.]0/23|IPv4-Addr|Netblock owned by AS57523| |91.240.118[.]0/24|IPv4-Addr|Netblock owned by AS57523| |91.241.19[.]0/24|IPv4-Addr|Netblock owned by AS57523| |152.89.198[.]0/24|IPv4-Addr|Netblock owned by AS57523| |49943|ASN|IT Resheniya LLC| |194.32.236[.]0/24|IPv4-Addr|Netblock owned by AS49943| |213.226.123[.]0/24|IPv4-Addr|Netblock owned by AS49943| |5.42.199[.]0/24|IPv4-Addr|Netblock owned by AS49943| |91.213.50[.]0/24|IPv4-Addr|Netblock owned by AS49943| |treasurybanks[.]org|Domain-Name|Google Ad site| |bologna.sunproject[.]dev|Domain-Name|Hosting the decoy PDF| |rome.sunproject[.]dev|Domain-Name|Hosting the MSI| |florence.sunproject[.]dev|Domain-Name|Pivot from the IP| |venice.sunproject[.]dev|Domain-Name|Pivot from the IP| |sunproject[.]dev|Domain-Name|Pivot from the IP| |turin.sunproject[.]dev|Domain-Name|Pivot from the IP| |sweetapp[.]page|Domain-Name|Hosting the Matanbuchus DLL| ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR © I t i ----- |gammaprojec[.]dev|Domain-Name|Matanbuchus C2| |---|---|---| |torontoclub[.]vip|Domain-Name|Hosting Danabot EXE| |34.168.202[.]91:443|IPv4 + Port|Danabot C2| |mindsmatterphilly[.]org|Domain-Name|Infected with SocGholish| |designedlearning[.]com|Domain-Name|Infected with SocGholish| |ccrcorp[.]com|Domain-Name|Infected with SocGholish| |mannmortgage[.]com|Domain-Name|Infected with SocGholish| |firstlight[.]net|Domain-Name|Infected with SocGholish| |sdic[.]org|Domain-Name|Infected with SocGholish| |speedprocanada[.]com|Domain-Name|Infected with SocGholish| |osceolataxcollector[.]org|Domain-Name|Infected with SocGholish| |doctorkiltz[.]com|Domain-Name|Infected with SocGholish| |usrailandlogistics[.]com|Domain-Name|Infected with SocGholish| |atomwise[.]com|Domain-Name|Infected with SocGholish| |kalaswire[.]com|Domain-Name|Infected with SocGholish| |poolsbydesignaz[.]com|Domain-Name|Infected with SocGholish| |ggrinc[.]com|Domain-Name|Infected with SocGholish| |gatewaycr[.]org|Domain-Name|Infected with SocGholish| |buildingintelligence[.]com|Domain-Name|Infected with SocGholish| |intervention911[.]com|Domain-Name|Infected with SocGholish| |pestpatrol1[.]com|Domain-Name|Infected with SocGholish| |dems[.]ag|Domain-Name|Infected with SocGholish| |democraticags[.]org|Domain-Name|Infected with SocGholish| |invisiblepeople[.]tv|Domain-Name|Infected with SocGholish| |govos[.]com|Domain-Name|Infected with SocGholish| |vlanj[.]org|Domain-Name|Infected with SocGholish| |vsofm[.]com|Domain-Name|Infected with SocGholish| |admin[.]nursing[.]com|Domain-Name|Infected with SocGholish| |presswire[.]com|Domain-Name|Infected with SocGholish| |democraticgovernors[.]org|Domain-Name|Infected with SocGholish| |locustfamilydentistry[.]com|Domain-Name|Infected with SocGholish| |sitesofconscience[.]org|Domain-Name|Infected with SocGholish| |fancy[.]justbartanews[.]com|Domain-Name|Infected with SocGholish| |galimidilaw[.]com|Domain-Name|Infected with SocGholish| |breakpointbooking[.]com|Domain-Name|Infected with SocGholish| |kristinhannah[.]com|Domain-Name|Infected with SocGholish| |barbarajking[.]com|Domain-Name|Infected with SocGholish| |baumgartnerlawyers[.]com|Domain-Name|Infected with SocGholish| |166.1.173[.]27|IPv4-Addr|SocGholish C2| |37.128.207[.]92|IPv4-Addr|SocGholish C2| |128.254.207[.]82|IPv4-Addr|SocGholish C2| |216234|ASN|“Komkov Vadim Aleksandrovich”| ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR © I t i ----- ## Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery TLP: CLEAR PAP: CLEAR 45.9.74[.]0/24 IPv4-Addr Netblock owned by AS216234 ### 2. Recommendations - Monitor all traffic from/to any IP address belonging to above-mentioned autonomous systems and the other IOCs. - Sigma Rules for the execution of the Control Panel Living Off the Land binary: `o` https://github.com/elastic/detection [rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_](https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml) [evasion_execution_control_panel_suspicious_args.toml](https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml) `o` [https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml) [29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml) dll_load.yml ### 3. Sources ➢ [https://twitter.com/Cryptolaemus1/status/1765796398526566434](https://twitter.com/Cryptolaemus1/status/1765796398526566434) ➢ [https://github.com/pr0xylife/Matanbuchus/blob/main/Matanbuchus_07.03_2024.txt](https://github.com/pr0xylife/Matanbuchus/blob/main/Matanbuchus_07.03_2024.txt) ➢ [https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/](https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html) [2022/06/19/matanbuchus-triage.html](https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html) ➢ [https://isc.sans.edu/diary/Malspam+pushes+Matanbuchus+malware+leads+to+Cobalt+Strik](https://isc.sans.edu/diary/Malspam+pushes+Matanbuchus+malware+leads+to+Cobalt+Strike/28752) [e/28752](https://isc.sans.edu/diary/Malspam+pushes+Matanbuchus+malware+leads+to+Cobalt+Strike/28752) ➢ [https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-](https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65) [limited-a9ba4fce0f65](https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65) ➢ [https://lolbas-project.github.io/lolbas/Binaries/Control/](https://lolbas-project.github.io/lolbas/Binaries/Control/) ➢ [https://krebsonsecurity.com/2023/09/snatch-ransom-group-exposes-visitor-ip-addresses/](https://krebsonsecurity.com/2023/09/snatch-ransom-group-exposes-visitor-ip-addresses/) ➢ [https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond](https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond) ➢ [https://embee-research.ghost.io/latrodectus-script-deobfuscation/](https://embee-research.ghost.io/latrodectus-script-deobfuscation/) ➢ [https://twitter.com/Unit42_Intel/status/1772988284571877807](https://twitter.com/Unit42_Intel/status/1772988284571877807) ➢ [https://medium.com/@beyondmachines/sms-scam-analysis-7b699f86c97a](https://medium.com/@beyondmachines/sms-scam-analysis-7b699f86c97a) © I t i |194.67.193[.]0/24|IPv4-Addr|Netblock owned by AS216234| |---|---|---| |45.9.74[.]0/24|IPv4-Addr|Netblock owned by AS216234| -----