Microsoft Teams Voice Calls Abused to Push Matanbuchus Malware
Introduction
As remote work tools become more integral to business operations, cybercriminals are finding creative ways to exploit these platforms. A recent cybersecurity revelation highlights how Microsoft Teams, one of the most widely used collaboration tools, is being abused to deliver Matanbuchus malware through voice call functionalities. This alarming tactic underscores the evolving sophistication of threat actors and the critical need for organizations to bolster their security postures.
This article provides an in-depth look at the abuse of Microsoft Teams for malware distribution, focusing on how voice calls are being leveraged to spread Matanbuchus, what the malware does, and how to defend against such emerging threats.
What Is Matanbuchus Malware?
Matanbuchus is a malware-as-a-service (MaaS) loader that emerged around 2021. It is named after a demon in mythology, symbolizing deceit and trickery—an apt title for malware designed to covertly load additional malicious payloads onto a victim’s device.
Key features of Matanbuchus include:
- Loading of Secondary Malware: Matanbuchus can deploy tools like Cobalt Strike or ransomware.
- Evasion Techniques: It often bypasses detection through encryption, obfuscation, and sandbox evasion.
- Delivery Mechanisms: It’s typically delivered via phishing, malicious documents, or now—via collaboration tools like Microsoft Teams.
Microsoft Teams as an Attack Vector
Microsoft Teams, integrated into Microsoft 365, has millions of daily users. Its ubiquity makes it a prime target for threat actors. Recently, attackers have discovered a new angle: using Teams voice calls to lure users into downloading malicious payloads—specifically, Matanbuchus.
How the Attack Works:
-
Fake Accounts and Voice Calls: Threat actors create legitimate-looking Teams accounts or compromise existing ones. They then initiate voice calls with potential victims under the guise of urgent meetings or tech support.
-
Social Engineering: During the call, the attacker convinces the victim to click a link or download a file sent via the Teams chat window—often disguised as a meeting document, invoice, or IT patch.
-
Payload Delivery: The downloaded file contains Matanbuchus loader, which installs silently and later downloads more destructive malware such as data stealers, backdoors, or ransomware.
-
Command & Control (C2): Once installed, the malware connects to its C2 server, allowing attackers to take remote control or exfiltrate data.
Why This Is So Dangerous
The abuse of Microsoft Teams for delivering malware introduces new challenges for cybersecurity professionals:
- Trusted Environment: Users are more likely to trust files or links sent via internal tools like Teams.
- Bypassing Email Filters: Traditional malware delivery via phishing emails can be blocked by email filters. Teams traffic often isn't scrutinized as rigorously.
- Social Engineering Synergy: Combining real-time voice communication with a file drop greatly increases the success rate of deception.
Who Is Behind It?
The exact threat actor groups using this technique are still being identified. However, the use of Matanbuchus, a known malware-as-a-service tool, suggests the involvement of affiliated cybercriminal gangs or independent threat actors purchasing access through dark web markets.
This model lowers the barrier for entry, allowing even relatively unskilled attackers to deploy sophisticated tools via user-friendly platforms like Microsoft Teams.
Indicators of Compromise (IOCs)
Organizations should be on the lookout for the following IOCs related to this threat:
- Unusual Teams Call Activity: Especially from unknown users or outside the organization.
- Downloads of .zip, .exe, or .lnk files following Teams calls.
- Outbound connections to known Matanbuchus C2 IPs or domains.
- Unexpected processes spawning from Teams.exe or file downloads.
How to Protect Against Matanbuchus via Teams
1. Educate Users
- Train employees to be cautious of unsolicited Teams calls and messages.
- Emphasize the importance of verifying the identity of internal contacts before clicking links or downloading files.
2. Restrict External Access
- Limit the ability of external users to contact or call employees via Teams unless absolutely necessary.
3. Endpoint Detection and Response (EDR)
- Use EDR tools capable of detecting behavioral anomalies and file-less malware such as Matanbuchus.
4. Monitoring and Logging
- Continuously monitor Teams activity, especially chats with file transfers and calls involving file sharing.
- Enable detailed logging and anomaly detection for Teams traffic.
5. Zero Trust Policies
- Adopt a Zero Trust security model, where every request—even within internal networks—is verified and authenticated.
6. File Type Restrictions
- Prevent the sharing of executable or script files via Teams unless absolutely required.
Microsoft’s Response
Microsoft has acknowledged growing abuse of its Teams platform and is actively working on:
- Advanced threat detection for Teams-specific threats.
- Improved file scanning and sandboxing mechanisms for shared documents.
- Stronger identity verification tools and account protection protocols.
Organizations are encouraged to regularly update Microsoft Teams and apply any security patches or recommendations issued by Microsoft’s security team.
Conclusion
The abuse of Microsoft Teams voice calls to spread Matanbuchus malware reflects a broader trend in the cybersecurity landscape—the weaponization of trusted collaboration tools. As attackers innovate, defenders must adapt quickly to protect users who are increasingly dependent on these platforms for daily operations.
By implementing layered security strategies, educating users, and staying informed about evolving tactics like this, organizations can greatly reduce their exposure to threats like Matanbuchus. The fight against cybercrime is no longer confined to email and web gateways—it now lives in our video calls, our messages, and our virtual office meetings.
.jpeg)
