Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
Matanbuchus is a malware-as-a-Service loader that has been sold on underground markets for more than a year, but can also be rented to attackers for the same price.
If you are a victim of Matanbuchus, these loader options will be offered to you:
- Loader for banking malware such as Dridex or Locky. You pay $200 per month for this loader, and you'll get access to the latest malware and botnets.
- Loader for ransomware such as Locky, Cerber, or TeslaCrypt. This is also $200 per month but includes payloads that encrypt your data and demand a ransom before restoring it to its original state.
- Loader with a botnet of compromised PCs available on demand.
For the botnet option, here's how it works: if you want to send spam or distribute malware, you can use a botnet of 1,000 compromised PCs for $500 per month. However, if you want a larger botnet with more power to launch DDoS attacks, you'll need to invest $3,000 per month.
If you want an even bigger distributed denial-of-service (DDoS) attack that can cripple corporate networks for days at a time and knock offline critical services like banking sites or even government websites in certain countries, that will cost you $6,000 per month.
The malware also makes use of another process, winobot.exe, which is apparently responsible for launching the loader when clicked on. Microsoft has already issued a fix for the problem.
Earlier this week CNN's security analyst and former NSA advisor Ken Westin spotted yet another variant of the botnet-as-a-service offering from Matanbuchus, with a new command and control (C&C) scheme designed to evade detection by antivirus programs.
Speaking to Bleeping Computer, he noted that Westin Security was able to identify multiple instances where "the malware uses a non-standard port on its command & control server," as well as other clever tactics to make it more difficult to detect its presence.