Chinese hackers use a new attack framework similar to Cobalt Strike

Hacker typing on keyboard

The researchers note a new post-exploit attack framework used in the wild, called Manjusaka, which could be deployed as an alternative to, or parallel to, the widely misused Cobalt Strike toolkit for redundancy.

Manjusaka uses implants written in the cross-platform Rust programming language, while its binaries are written in the versatile GoLang language.

RAT (Remote Access Trojan) implants support command execution, file access, network reconnaissance, and more, so hackers can use them for the same operational goals as Cobalt Strike.

Campaign and discovery

Manjusaka was discovered by researchers at Cisco Talos, who were called in to investigate a Cobalt Strike hit an agent, so threat actors used both frames in this case.

The infection came via a malicious document masquerading as a COVID-19 case report in the city of Golmud in Tibet for contact tracing.

The document showed a VBA macro being executed by rundll32.exe to fetch the second stage payload, Cobalt Strike, and load it into memory.

However, instead of just using Cobalt Strike as their primary attack toolkit, they used it to download Manjusaka implants, which depending on the host architecture, could be either EXE (Windows) or ELF (Linux) files.

“Cisco Talos recently discovered a new attack framework called ‘Manjusaka’ that is being used in the wild and has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework,” warns Cisco Talos researchers.

mangosaka abilities

Both the Windows and Linux versions of the implant have approximately the same capabilities and implement similar communication mechanisms.

The implants include a remote control unit (RAT) and a file management unit, each with distinct capabilities.

RAT supports arbitrary command execution via “cmd.exe”, collects credentials stored in web browsers, WiFi SSIDs and passwords, detects network connections (TCP and UDP), account names, local groups, etc.

Mangosaka Order Execution System
Mangosaka Order Execution System (Cisco)

Moreover, it can steal Premiumsoft Navicat credentials, take screenshots of your current desktop, list of running processes, and even check hardware specifications and temperature.

The File Manager module can perform file enumeration, create directories, get complete file paths, read or write file contents, delete files or directories, and move files between locations.

File management capabilities, EXE left, ELF right
File management capabilities, EXE left, ELF right (Cisco)

Shift in tools

For now, it looks like Manjusaka has been temporarily deployed into the wild for testing, so it’s likely that its development isn’t in its final stages. However, the new framework is already powerful enough for real-world use.

Cisco notes that its researchers found a design diagram on a promotional post by the malware author, depicting components that were not implemented in the versions it sampled.

This means that it is not available in the “free” version used in the analyzed attack or has not yet been completed by the author.

“This new attack framework has all the features one would expect from an implant, however, it is written in the latest mobile programming languages.

A framework developer can easily integrate new target platforms like MacOSX or more exotic flavors of Linux like those running on embedded hardware.

The fact that the developer has made a fully functional version of C2 available increases the chances of this framework being widely adopted by malicious actors.” – Cisco Talos

The lure document was written in Chinese, and the same goes for C2’s menus and configuration options for the malware, so it’s safe to assume its developers are based in China. Talos’ OSINT has narrowed down its position in Guangdong.

If this is indeed the case, we may see Manjusaka pervasive in the campaigns of many Chinese APTs soon, with threat groups from the country notorious for sharing a common toolkit.

We recently reported the emergence of a post-exploit toolkit called “Brute Ratel”, which was also supposed to replace the now older and more easily detectable cracked versions of Cobalt Strike.

Threat actors are expected to continue to gradually move away from Cobalt Strike, and many alternative attack frameworks are likely to emerge, in an effort to expand on the new market opportunity.

#Chinese #hackers #attack #framework #similar #Cobalt #Strike

Leave a Comment

Your email address will not be published.