We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/Metasploit.CBU!MTB
Aliases: No associated aliases
Summary
Trojan:Win32/Metasploit.CBU!MTB is a harmful trojan that runs as a 32-bit Windows app backdoor based on the Meterpreter payload of the Metasploit framework, which is an open-source penetration testing tool weaponized by threat actors to use as a remote access trojan (RAT). It makes a reverse connection back to command-and-control server (C2) thereby allowing threat actors to issue commands, keep signals, and exfiltrate data. It operates from memory and, therefore, does not perform disk operations while also maintaining stealth.
It is a flexible threat for data theft, espionage, or deploying additional payloads like ransomware can result in anything from identity theft to taking down devices. This trojan is often delivered through exploits against applications such as Microsoft Office, or through phishing attacks, which shows the danger of unpatched software and unverified downloads. While a detection is not always indicative of threat actor malice (due to legitimate use of these tools), IT teams are advised to handle the detection as a high-risk event.
The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the "Metasploit" family.
- Disconnect the compromised device from all networks (both wired and Wi-Fi) as soon as possible. This severs the threat actor’s remote connection and prevents further data exfiltration.
- Use system utilities like Task Manager or Process Explorer to inspect startup entries, scheduled tasks, and running processes for any malicious components that may have established persistence.
- Update passwords for all user and administrative accounts on the affected device, as well as for any online services that were accessed from it, as login credentials could have been stolen.
- Review bank, email, and other critical accounts for any unusual actions that indicate unauthorized access resulting from the infection.
- If the scope of the intrusion is uncertain, restore Windows from a known-clean, verified backup. Ensure the backup is scanned for malware before restoration to avoid reinfection.
- For a manual response on Windows, boot the system into Safe Mode, activate the viewing of hidden files and folders, and proceed to identify and remove all suspicious files and registry entries before performing a final reboot and verification scan.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
