Matanbuchus is a malware-as-a-Service loader that has been sold on underground markets for more than a year, but can also be rented to attackers for the same price.

If you are a victim of Matanbuchus, these loader options will be offered to you:

- Loader for banking malware such as Dridex or Locky. You pay $200 per month for this loader, and you'll get access to the latest malware and botnets.

- Loader for ransomware such as Locky, Cerber, or TeslaCrypt. This is also $200 per month but includes payloads that encrypt your data and demand a ransom before restoring it to its original state.

- Loader with a botnet of compromised PCs available on demand.

For the botnet option, here's how it works: if you want to send spam or distribute malware, you can use a botnet of 1,000 compromised PCs for $500 per month. However, if you want a larger botnet with more power to launch DDoS attacks, you'll need to invest $3,000 per month.

If you want an even bigger distributed denial-of-service (DDoS) attack that can cripple corporate networks for days at a time and knock offline critical services like banking sites or even government websites in certain countries, that will cost you $6,000 per month.

The malware also makes use of another process, winobot.exe, which is apparently responsible for launching the loader when clicked on. Microsoft has already issued a fix for the problem.

Earlier this week CNN's security analyst and former NSA advisor Ken Westin spotted yet another variant of the botnet-as-a-service offering from Matanbuchus, with a new command and control (C&C) scheme designed to evade detection by antivirus programs.

Speaking to Bleeping Computer, he noted that Westin Security was able to identify multiple instances where "the malware uses a non-standard port on its command & control server," as well as other clever tactics to make it more difficult to detect its presence.

‍

Source: Inside Matanbuchus: A Quirky Loader - AlienVault - Open Threat Exchange