ClickFix Infection Delivers Matanbuchus 3.0 Malware and New AstarionRAT in High-Speed Intrusion
Published
Key Takeaways
- New RAT Discovered: A recent cyberattack has led to the discovery of a new, full-featured Remote Access Trojan dubbed AstarionRAT.
- Complex Attack Chain: The intrusion began with a ClickFix social engineering campaign, which delivered the premium Matanbuchus 3.0 malware loader.
- Rapid Lateral Movement: The attacker moved across the network to domain controllers in under 40 minutes, indicating a hands-on-keyboard operation.
A new Remote Access Trojan (RAT) named AstarionRAT was discovered due to a sophisticated, hands-on intrusion. The initial payload was the Matanbuchus 3.0 malware, a premium loader known for its use in high-value, targeted operations, cybersecurity firm Huntress has detailed.
The attack chain began with a ClickFix infection, a social engineering technique that tricks users into pasting malicious commands into their systems, via silent MSI installations. This method bypasses traditional security controls by making the user the delivery mechanism.
Matanbuchus 3.0 and AstarionRAT Discovery
The investigation by the Huntress Tactical Response team uncovered a deeply layered execution chain. The ClickFix prompt led to the installation of Matanbuchus 3.0, a completely rewritten version of the malware that commands a high price on cybercrime forums.
This loader was then used to deliver the previously undocumented AstarionRAT, which revealed a powerful implant with 24 commands, including:
- credential theft,
- a SOCKS5 proxy,
- port scanning capabilities,
- reflective code loading,
- shell execution,
- RSA-encrypted command-and-control (C2) traffic disguised as application telemetry.
The attacker used legitimate tools like:
- Zillya Antivirus binaries for sideloading,
- PsExec for lateral movement,
- enamed 7-Zip for archive extraction,
- C:\ProgramData\USOShared\ as a staging directory to blend in with legitimate Windows Update paths.
“Over the years, Matanbuchus has been used to deliver a range of follow-on payloads, including Cobalt Strike, QakBot, DanaBot, Rhadamanthys stealer, and NetSupport RAT,” the report said.
Cybersecurity Response to a High-Speed Intrusion
Following the RAT deployment, the operator returned the next day and laterally moved from the initial compromise point to two domain controllers in less than 40 minutes. The Huntress cybersecurity response team disrupted the intrusion during this lateral movement phase.
The ultimate objective was likely ransomware deployment or data exfiltration, based on the attacker's playbook.
A free ‘ClickFix Hunter’ tool was made available last month after the ErrTraffic ClickFix service was observed to be industrializing social engineering malware. Also, the new Devixor malware, which combines banking RAT and ransomware, targeted Iranian banks, crypto platforms, and payment services.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular