Researchers discovered a Chinese threat actor using a new offensive framework similar to Cobalt Strike called Manjusaka.
Talos researchers observed a Chinese threat actor using a new offensive framework similar to the Sliver and Cobalt Strike tools called Manjusaka (which translates to “cow flower” from simplified Chinese script).
The attack framework is advertised as a mimic of the Cobalt Strike framework, experts reported that the implants for the new malware family are written in the Rust language for Windows and Linux.
The experts uncovered a campaign of bait documents dealing with COVID-19 and Haixi Mongolian-Tibetan Autonomous Prefecture in Qinghai province. The armed documents were created to start the infection process and led to the installation of Cobalt Strike beacons on infected systems.
“A fully functional version of Command and Control (C2), written in GoLang with a Simplified Chinese user interface, is freely available and can easily generate new implants with custom configurations, increasing the likelihood of wider adoption of this framework by malicious actors.” reads the analysis published by Cisco Talos. “We observed the same threat actor using the Cobalt Strike Beacon and implants from the Manjusaka framework.”
The researchers believe that the Manjusaka The tool has the potential to become a popular post-exploitation tool like Slive and Cobal Strike.
The researchers state that the malware implant is a RAT family called “Manjusaka”, while C2 is an ELF binary written in GoLang, available on GitHub at “hxxps://github[.]com/YDHCUI/manjusaka.” The C2 server and admin panel is based on the Gin Web Framework, which allows operators to issue commands to the Rust-based implants/stagers. The implants support multiple functions, including executing arbitrary commands on the infected systems. Below is the full list of supported features:
- Run any command
- Get file information for a specific file: creation time, last write time, size, disk serial number, and file index.
- Get information about the current network connections (TCP and UDP) set up on the system, including local network addresses, remote addresses, and owning process identifiers (PIDs).
- Collect browser credentials: Specifically for Chromium-based browsers with the query: SELECT signon_realm, username_value, password_value FROM logins ; Target browsers: Google Chrome, Chrome Beta, Microsoft Edge, 360 (Qihoo), QQ Browser (Tencent), Opera, Brave, and Vivaldi.
- Collect WiFi SSID information including passwords with the following command: netsh wlan show profile
- Obtain Premiumsoft Navicat credentials
- Take screenshots of the current desktop.
- Get comprehensive system information from the endpoint
- Enable the file management module to perform file-related activities
The experts discovered both EXE and ELF versions of the implant.
The attribution of this campaign to Chinese threat actors is based on the following evidence:
- The Maldoc refers to a COVID-19 outbreak in Golmud City.
- The Rust-based implant does not use the standard Crates.io library repository for dependency resolution. Instead, it was manually configured by the developers to use the mirror located at the University Science and Technology of China (ustc[.]training[.]cn).
- The C2 menus and options are all written in Simplified Chinese.
- Our OSINT suggests that the author of this framework is based in the GuangDong region of China.
“The availability of the Manjusaka Offensive Framework is an indication of the popularity of widespread offensive technologies among both crimeware and APT operators. This new attack framework contains all the features one would expect from an implant, but is written in the most modern and portable programming languages.” concluded the analysis. “The developer of the framework can easily integrate new target platforms such as MacOSX or more exotic flavors of Linux running on embedded devices. The fact that the developer has provided a fully functional version of the C2 increases the chances of broader adoption of this framework by malicious actors.”
Follow me on Twitter: @Security questions and Facebook
(security matters – Hack, Manjusaka)