Hacker typing on a keyboard

Chinese hackers use new Cobalt Strike-like attack framework

Researchers have noted a new post-exploitation attack framework used in the wild, called Manjusaka, which can be implemented as an alternative to the widely abused Cobalt Strike toolkit or in parallel for redundancy.

Manjusaka uses implants written in the cross-platform Rust programming language, while its binaries are written in the equally versatile GoLang.

Its RAT (Remote Access Trojan) implants support command execution, file access, network reconnaissance, and more, so hackers can use it for the same operational goals as Cobalt Strike.

campaign and discovery

Manjusaka was discovered by Cisco Talos researchers, who were called in to investigate a Cobalt Strike infection on a client, so threat actors used both frameworks in that case.

The infection occurred through a malicious document disguised as a report on a COVID-19 case in the city of Golmud in Tibet for contact tracing.

The document presented a VBA macro that is run through rundll32.exe to get a second-stage payload, Cobalt Strike, and load it into memory.

However, instead of using Cobalt Strike as their main attack toolkit, they used it to download Manjusaka implants, which, depending on the host architecture, could be either EXE (Windows) or ELF (Linux) files.

“Cisco Talos recently discovered a new attack framework called “Manjusaka” that is used in the wild and has the potential to become prevalent across the entire threat landscape. This framework is advertised as a knockoff of the Cobalt Strike framework,” the researchers warn. from Cisco Talos.

Manjusaka’s abilities

Both the Windows and Linux versions of the implant have almost the same capabilities and implement similar communication mechanisms.

The implants comprise a RAT and a file management module, each with different capabilities.

RAT supports executing arbitrary commands via “cmd.exe”, collects credentials stored in web browsers, WiFi SSIDs and passwords, and discovers network connections (TCP and UDP), account names, local groups, etc.

Manjusaka Command Execution System
Manjusaka Command Execution System (cisco)

Additionally, it can steal Premiumsoft Navicat credentials, capture screenshots of the current desktop, list running processes, and even check hardware specifications and thermals.

The file management module can perform file enumeration, create directories, get full file paths, read or write file content, delete files or directories, and move files between locations.

File management capabilities, EXE left, ELF right
File management capabilities, EXE left, ELF right (cisco)

A change in tools

At this time, it appears that Manjusaka is tentatively deployed to the wild for testing, so its development is likely not in its final stages. However, the new framework is already powerful enough for real-world use.

Cisco notes that its researchers found a design diagram in a promotional post from the malware author, which represented components that were not implemented in the sample builds.

This means that they are not available in the “free” version used in the analyzed attack or that the author has not yet completed them.

“This new attack framework contains all the features one would expect from an implant, yet it is written in the most modern and portable programming languages.

The framework developer can easily integrate new target platforms like MacOSX or more exotic versions of Linux like those running on embedded devices.

The fact that the developer has made a fully functional version of C2 available increases the chances of wider adoption of this framework by malicious actors.” -Cisco Talos

The decoy document is written in Chinese, and the same applies to the malware’s C2 menus and configuration options, so it’s safe to assume its developers are based in China. Talos’ OSINT narrowed its location to the Guangdong region.

If that is indeed the case, we could soon see Manjusaka deployed in the campaigns of multiple Chinese APTs, as the country’s threat groups are known to share a common toolkit.

We recently reported on the rise of a post-exploitation toolkit called ‘Brute Ratel’, which was also intended to replace the now aging and more easily detectable cracked versions of Cobalt Strike.

Threat actors are expected to continue to gradually move away from Cobalt Strike, and many alternative attack frameworks are likely to appear, attempting to grow towards the new market opportunity.

Leave a Comment

Your email address will not be published.