The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Manjusaka Framework

Aug 11, 2022 11:51:07 AM / by PolySwarm Tech Team

Manjusaka Framework_Twitter

Executive Summary

Cisco Talos recently reported on a campaign leveraging Manjusaka, a new attack framework being used in the wild that is advertised as an alternative to Cobalt Strike or Sliver.

Key Takeaways

  • Manjusaka is an attack framework similar to Cobalt Strike or Sliver.
  • Manjusaka implants are written in Rust, with variants for both Windows and Linux. 
  • Manjusaka’s C2 server is available on GitHub.
  • In a recent campaign, threat actors used maldocs with COVID-19-related lures to deliver Manjusaka.
What is Manjusaka?

Manjusaka, which means “cow flower” in Chinese, is the name of a new attack framework being advertised as an alternative to Cobalt Strike or Sliver. Researchers at Cisco Talos assess Manjusaka has the potential for widespread use across the threat landscape.

Manjusaka RAT implants are written in Rust and target Windows and Linux systems. The C2 is written in GoLang, with a Simplified Chinese user interface. The Manjusaka C2 executable is a fully functional C2 ELF binary. Cisco Talos also discovered an EXE version of the implant. Researchers were able to generate implants by specifying configurations while analyzing the C2.

Infection Chain

Cisco Talos discovered a maldoc campaign, using COVID-19-related documents as a lure to drop Cobalt Strike beacons to victim endpoints. They observed the same threat actor using Cobalt Strike beacons and Manjusaka implants. The campaign, which targeted certain regions within China, had few targets and was active since around June 2022.

The maldoc contains a VBA macro that executes rundll32.exe and injects Metasploit shellcode to download and execute stage 2. Stage 2 is another shellcode containing an XOR encoded Cobalt Strike executable and shellcode used to decode and reflectively load a Cobalt Strike beacon. The Cobalt Strike beacon is executed, and reflectively loads itself into process memory.

The sample Cisco Talos analyzed made HTTP requests to http://39.104.90[.]45/global/favicon.png, which leverages a fixed session cookie defined by the sample. The cookie is base64 encoded and contains a compressed copy of binary data, including ransom bytes and system information used to register the infected machine with the C2.

Manjusaka RAT

Manjusaka RAT allows threat actors to execute arbitrary commands, get file information including creation time and file index, obtain network configuration information, collect browser credentials for Chromium-based browsers, collect WiFi SSID information, obtain Navicat credentials, take screenshots, obtain detailed system information, and activate the file management module.

Windows Variant

System information collected by the Windows variant includes system memory global information, processor power, WMI temperature readings, network interface names, Process and System times, process module names, disk drive information, network account names, and Windows build and version numbers. File management capabilities include file enumeration, creating directories, setting the current working directory, obtaining full file paths, deleting files and removing directories, moving files, and reading and writing file data.

Linux Variant

The Linux ELF variant operates similarly to the Windows version but collects the following system-specific information: global system information, system memory information, system uptime and idle time, OS identification, Kernel activity information, CPU information, temperature information, network interface information, device mount, and file system information, and user account information. The file management module is equivalent to the Windows version.

C2 Server

Cisco Talos discovered a copy of the Manjusaka C2 server binary on GitHub and noted it can be used to monitor and administer a victim machine and generate the Rust implants as payloads. The C2 server and admin panel use the Gin Web Framework to issue commands to the implants and stagers. Cisco Talos noted the threat actor using Manjusaka in this campaign does not appear to be associated with the developer of Manjusaka.

IOCs

PolySwarm has multiple samples associated with the Manjusaka framework.

3f3eb6fd0e844bc5dad38338b19b10851083d078feb2053ea3fe5e6651331bf2

955e9bbcdf1cb230c5f079a08995f510a3b96224545e04c1b1f9889d57dd33c1

Fb5835f42d5611804aaa044150a20b13dcf595d91314ebef8cf6810407d85c64

8e9ecd282655f0afbdb6bd562832ae6db108166022eb43ede31c9d7aacbcc0d8

58a212f4c53185993a8667afa0091b1acf6ed5ca4ff8efa8ce7dae784c276927


You can use the following CLI command to search for all Manjusaka samples in our portal:

$ polyswarm link list -f Manjusaka

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, China, Cobalt Strike, Manjusaka, Silver

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts