Researchers have unveiled a new offensive tire called Mangusaka they call “Chinese brother of cobalt sliver strike”.
“A fully functional version of Command and Control (C2), written in Golang with a Simplified Chinese user interface, is freely available and can easily create new implants with custom configurations, increasing the potential for wider adoption of this framework,” Cisco Talos said in a new report.
Sliver and Cobalt Strike are legitimate enemy emulation frameworks that have been redirected by threat actors to perform post-exploit activities such as network reconnaissance, lateral movement, and facilitating the deployment of follow-up payloads.
Written in Rust, Manjusaka – meaning “cow flower” – is advertised as an equivalent of the Cobalt Strike framework with capabilities to target Windows and Linux operating systems. Its developer is believed to be located in GuangDong, China.
“The implant consists of a large number of Remote Access Trojan (RAT) capabilities that include some standard functionality and a dedicated file management module,” the researchers noted.
Some of the supported features include executing arbitrary commands, collecting browser credentials from Google Chrome, Microsoft Edge, Qihoo 360, Tencent QQ Browser, Opera, Brave, Vivaldi, collecting Wi-Fi passwords, taking screenshots, getting Comprehensive information about the system.
It is also designed to launch a file management module to perform a wide range of activities such as file enumeration as well as managing files and directories on the compromised system.
On the other hand, the ELF backdoor variant, with most functionality included as its Windows counterpart, does not include the ability to collect credentials from Chromium-based browsers and collect Wi-Fi login passwords.
Also part of the Chinese language framework is a C2 server executable that is coded in Golang and available on GitHub at “hxxps://github”.[.]com / YDHCUI / manjusaka. The third component is an administration panel built on the Gin web framework that enables the operator to create custom versions of the Rust implant.
The server binary, for its part, is designed to monitor and manage an infected endpoint, as well as create the appropriate Rust implants depending on the operating system and issue the necessary commands.
However, the chain of evidence indicates that it is either under active development or that its components are being provided to other actors as a service.
Talos said she made the discovery while investigating Maldock’s infection chain that is taking advantage of COVID-19 lures in China to deliver Cobalt Strike beacons on infected systems, adding that the unknown actor behind the campaign also used transplants from Manjusaka’s framework in the wild.
The results arrived weeks after it was discovered that malicious actors had been seen abusing another legitimate adversary simulator called Brute Ratel (BRc4) in their attacks in an attempt to stay under the radar and evade detection.
“The availability of the Mangosaka offensive framework is an indication of the popularity of widely available offensive technologies with both forensic software operators and APT,” the researchers said.
“This new attack framework has all the features one would expect from an implant, however, it is written with the latest mobile programming languages. The framework developer can easily integrate new target platforms like MacOSX or more exotic flavors of Linux like those running on hardware Included “.
#Chinese #hackers #Manjusaka #hacking #framework #similar #Cobalt #Strike