Matanbuchus with Cobalt Strike: Not your favorite combo


For US$2,500, threat actors can use Matanbuchus, a malware-as-a-service (MaaS) package that delivers Cobalt Strike beacons via phishing and spam messages. Cobalt Strike is a powerful security tool that hackers are increasingly using as a reconnaissance and post-exploitation weapon.

Our researchers obtained a list of Indicators of Compromise (IoC) and email domains used in phishing campaigns. Using Threat Intelligence Platform (TIP), we have analyzed and expanded on them in this report. Our discoveries include:

  • Eleven of the 13 email domains used in the Matanbuchus-related phishing had no Mail Exchange (MX) server or Domain-Based Message Authentication, Reporting and Compliance (DMARC) configured
  • Most email domains had problematic Secure Sockets Layer (SSL) and nameserver configurations
  • 600+ domains connected via WHOIS records and text strings of IoC domains, and MX records of email domains
  • Nearly 12.5% ​​of connected domains were malicious

As part of our ongoing efforts to enable cybersecurity analysts and researchers to continue their studies, we have collected all relevant data and made it available to anyone interested. You can download related threat research papers here.

What we know about IoCsth>

Four domains and four IP addresses each have been marked to direct Matanbuchus command and control (C&C) traffic. All of these domains were created between June 10 and 12, 2022, with Namecheap and Eranet as registrars.

On the other hand, most of the IP addresses were geolocated in the United States, with different Internet Service Providers (ISPs). The table below provides some details about the IoCs revealed by TIP.

IP addresses Associated IoC domains Geolocation ISP
144[.]208[.]127[.]245 file location WE Choc Hosting LLC
185[.]217[.]1[.]23 extic[.]icu WE
190[.]123[.]44[.]220 reykh[.]icu WE
213[.]226[.]114[.]15 collection telemetry system[.]com
Russia VDS

We also got 14 phishing emails, which generated 13 different email domains. Running these domains on TIP, we found that only two had blacklisted MX servers, and two others were potentially dangerous due to their locations and redirects. However, most had problematic MX, SSL, and nameserver configurations.

Among the most egregious misconfigurations was domain owners’ failure to configure DMARC, leaving properties vulnerable to email spoofing. In fact, some of Matanbuchus’ phishing emails have been spoofed, such as this example of malware spam provided by Malware Traffic Analysis.


Other issues detected by TIP include:

  • Recently Obtained SSL Certificates
  • Expired or non-existent SSL certificates
  • Name servers located in the same network or a single network
  • Stealth or Missing Name Servers

Legitimate organizations that prioritize cybersecurity should do their best to comply with the latest protocols, standards, and configurations. Those who receive warnings may be vulnerable to impersonation and exploitation or may not be legitimate at all.

Discover potentially connected domainsth>

Gathering information from the WHOIS records of the four IoC domains and the MX servers of the 13 email domains, we discovered 611 artifacts or connected domains. Most of these artifacts were .icu and .com domains created in June 2022 with Namecheap or Eranet as the registrar. They shared the same WHOIS characteristics as IoC domains.

Some artifacts shared the same MX records as phishing emails. However, we didn’t include properties that shared MX servers with more than 300 domains because they might use public MX servers, which would lead to false positives. Only two domains potentially used public MX servers.

The artifacts also included domains created in June 2022 that contained “telemetry”, the text string used in two of the IoCs. The table below illustrates the distribution of artifacts.

Malicious Artifact Alert >

The four C&C domains and 14 phishing emails flagged in the Cobalt Strike attack led by Matanbuchus led us to over 600 connected domains. Although some of the associations may be coincidental, TIP flagged 12.44% of the artifacts as malicious.

As a threat actor weapon, Cobalt Strike is fearsome and powerful. When combined with a MaaS like Matanbuchus and sophisticated phishing campaigns, their impact could be exponential. Thus, we have endeavored to shed some light on this threat and its IoCs.

If you would like to carry out a similar investigation or have access to the full data behind this research, please do not hesitate to contact us.


Comments are closed.