Researchers have noted a new post-exploitation attack framework used in the wild, called Manjusaka, which can be implemented as an alternative to the widely abused Cobalt Strike toolkit or in parallel for redundancy.
Manjusaka uses implants written in the cross-platform Rust programming language, while its binaries are written in the equally versatile GoLang.
Its RAT (Remote Access Trojan) implants support command execution, file access, network reconnaissance, and more, so hackers can use it for the same operational goals as Cobalt Strike.
campaign and discovery
Manjusaka was discovered by Cisco Talos researchers, who were called in to investigate a Cobalt Strike infection on a client, so threat actors used both frameworks in that case.
The infection occurred through a malicious document disguised as a report on a COVID-19 case in the city of Golmud in Tibet for contact tracing.
The document presented a VBA macro that is run through rundll32.exe to get a second-stage payload, Cobalt Strike, and load it into memory.
However, instead of using Cobalt Strike as their main attack toolkit, they used it to download Manjusaka implants, which, depending on the host architecture, could be either EXE (Windows) or ELF (Linux) files.
“Cisco Talos recently discovered a new attack framework called “Manjusaka” that is used in the wild and has the potential to become prevalent across the entire threat landscape. This framework is advertised as a knockoff of the Cobalt Strike framework,” the researchers warn. from Cisco Talos.
Both the Windows and Linux versions of the implant have almost the same capabilities and implement similar communication mechanisms.
The implants comprise a RAT and a file management module, each with different capabilities.
RAT supports executing arbitrary commands via “cmd.exe”, collects credentials stored in web browsers, WiFi SSIDs and passwords, and discovers network connections (TCP and UDP), account names, local groups, etc.
Additionally, it can steal Premiumsoft Navicat credentials, capture screenshots of the current desktop, list running processes, and even check hardware specifications and thermals.
The file management module can perform file enumeration, create directories, get full file paths, read or write file content, delete files or directories, and move files between locations.
A change in tools
At this time, it appears that Manjusaka is tentatively deployed to the wild for testing, so its development is likely not in its final stages. However, the new framework is already powerful enough for real-world use.
Cisco notes that its researchers found a design diagram in a promotional post from the malware author, which represented components that were not implemented in the sample builds.
This means that they are not available in the “free” version used in the analyzed attack or that the author has not yet completed them.
The decoy document is written in Chinese, and the same applies to the malware’s C2 menus and configuration options, so it’s safe to assume its developers are based in China. Talos’ OSINT narrowed its location to the Guangdong region.
If that is indeed the case, we could soon see Manjusaka deployed in the campaigns of multiple Chinese APTs, as the country’s threat groups are known to share a common toolkit.
We recently reported on the rise of a post-exploitation toolkit called ‘Brute Ratel’, which was also intended to replace the now aging and more easily detectable cracked versions of Cobalt Strike.
Threat actors are expected to continue to gradually move away from Cobalt Strike, and many alternative attack frameworks are likely to appear, attempting to grow towards the new market opportunity.