Chinese hackers use a new Manjusaka hacking framework similar to Cobalt Strike

Researchers have unveiled a new offensive framework called Manjusaka that they call “the Chinese brother of Sliver and Cobalt Strike.”

“A fully functional version of Command and Control (C2), written in GoLang with a simplified Chinese user interface, is freely available and can easily create new implants with custom configurations, increasing the potential for wider adoption of this framework,” Cisco Talos said in a new report.

Sliver and Cobalt Strike are legitimate enemy emulation frameworks that have been used by threat actors to carry out post-exploit activities such as network reconnaissance, lateral movement, and facilitate the deployment of follow-up payloads.

Written in Rust, Manjusaka – meaning “cow flower” – is advertised as an equivalent of the Cobalt Strike framework with capabilities to target Windows and Linux operating systems. Its developer is believed to be located in GuangDong, China.

cyber security

“The implant consists of a large number of Remote Access Trojan (RAT) capabilities that include some standard functionality and a dedicated file management module,” the researchers noted.

Some of the supported features include executing arbitrary commands, collecting browser credentials from Google Chrome, Microsoft Edge, Qihoo 360, Tencent QQ Browser, Opera, Brave, Vivaldi, collecting Wi-Fi passwords, taking screenshots, getting Comprehensive information about the system.

It is also designed to launch a file management module to perform a wide range of activities such as file enumeration as well as managing files and directories on the compromised system.

Manjusaka hacking framework

On the other hand, the ELF backdoor variant, with most functionality included as its Windows counterpart, does not include the ability to collect credentials from Chromium-based browsers and collect Wi-Fi login passwords.

Also, part of the Chinese language framework is a C2 server executable that is coded in Golang and available on GitHub at “hxxps://github”.[.]com / YDHCUI / manjusaka. The third component is an administration panel built on the Gin web framework that enables the operator to create a Rust implant.

The server binary, for its part, is designed to monitor and manage an infected endpoint, as well as create the appropriate Rust implants depending on the operating system and issue the necessary commands.

However, the chain of evidence indicates that it is either under active development or that its components are being provided to other actors as a service.

cyber security

Talos said it discovered while investigating a Maldoc infection chain that takes advantage of COVID-19 lures in China to deliver Cobalt Strike beacons on infected systems, adding that the same threat actor also used transplants from the Manjusaka frame in the wild.

The results arrived weeks after it was discovered that malicious actors had been seen abusing another legitimate adversary simulator called Brute Ratel (BRc4) in their attacks in an attempt to stay under the radar and evade detection.

“The availability of the Mangosaka offensive framework is an indication of the popularity of widely available offensive technologies with both forensic software operators and APT,” the researchers said.

“This new attack framework has all the features one would expect from an implant, however, it is written with the latest mobile programming languages. The framework developer can easily integrate new target platforms like MacOSX or more exotic flavors of Linux like those running on hardware Included “.

Leave a Reply

%d bloggers like this: