Pierluigi Paganini August 03, 2022

Researchers spotted a Chinese threat actors using a new offensive framework called Manjusaka which is similar to Cobalt Strike.

Talos researchers observed a Chinese threat actor using a new offensive framework called Manjusaka (which can be translated to “cow flower” from the Simplified Chinese writing) that is similar to Sliver and Cobalt Strike tools.

The attack framework is advertised as an imitation of the Cobalt Strike framework, the experts reported that the implants for the new malware family are written in the Rust language for Windows and Linux.

The experts uncovered a campaign using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. The weaponized documents were crafted to start the infection process and led to the installation of Cobalt Strike beacons on infected systems.

“A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.” reads the analysis published by Cisco Talos. “We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.”

The researchers believe that the Manjusaka tool has the potential to become a popular post-exploitation tool like Slive and Cobal Strike.

The researchers states that malware implant is a RAT family called “Manjusaka,” while the C2 is an ELF binary written in GoLang available on GitHub at “hxxps://github[.]com/YDHCUI/manjusaka.” The C2 server and admin panel are built on the Gin Web Framework which allows operators to issue commands to the Rust-based implants/stagers. The implants support multiple capabilities, including executing arbitrary commands on the infected systems. Below is the full list of supported features:

• Execute arbitrary commands

• Get file information for a specified file: Creation and last write times, size, volume serial number and file index.
• Get information about the current network connections (TCP and UDP) established on the system, including Local network addresses, remote addresses and owning Process IDs (PIDs).
• Collect browser credentials: Specifically for Chromium-based browsers using the query: SELECT signon_realm, username_value, password_value FROM logins ; Browsers targeted: Google Chrome, Chrome Beta, Microsoft Edge, 360 (Qihoo), QQ Browser (Tencent), Opera, Brave and Vivaldi.
• Collect Wi-Fi SSID information, including passwords using the command: netsh wlan show profile <WIFI_NAME> key=clear
• Obtain Premiumsoft Navicat credentials
• Take screenshots of the current desktop.
• Obtain comprehensive system information from the endpoint
• Activate the file management module to carry out file-related activities

The experts discovered both EXE and ELF versions of the implant.

The attribution of this campaign to Chinese threat actors is based on the following evidence:

• the maldoc refers to a COVID-19 outbreak in Golmud City.
• the Rust-based implant does not use the standard crates.io library repository for the dependency resolving. Instead, it was manually configured by the developers to use the mirror located at the University Science and Technology of China (ustc[.]edu[.]cn).
• the C2 menus and options are all written in Simplified Chinese.
• our OSINT suggests that the author of this framework is located in the GuangDong region of China.

“The availability of the Manjusaka offensive framework is an indication of the popularity of widely available offensive technologies with both crimeware and APT operators. This new attack framework contains all the features that one would expect from an implant, however, it is written in the most modern and portable programming languages.” concluded the analysis. “The developer of the framework can easily integrate new target platforms like MacOSX or more exotic flavors of Linux as the ones running on embedded devices. The fact that the developer made a fully functional version of the C2 available increases the chances of wider adoption of this framework by malicious actors.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Manjusaka)

[adrotate banner=”5″]

[adrotate banner=”13″]