Chinese hackers are using a new Cobalt Strike-like attack framework

Researchers have observed a new post-exploitation attack framework used in the wild, named Manjusaka, which can be deployed as an alternative to the widely abused Cobalt Strike toolset or alongside it for redundancy.

Manjusaka uses implants written in the cross-platform programming language Rust, while its binaries are written in the equally versatile GoLang.

Its RAT (Remote Access Trojan) implants support command execution, file access, network reconnaissance, etc., so hackers can use it for the same operational purposes as Cobalt-Strike.

Campaign and discovery

Manjusaka was discovered by Cisco Talos researchers, who were called in to investigate a Cobalt Strike infection on a customer, so threat actors used both frameworks in this case.

The infection came via a malicious document posing as a report of a COVID-19 case in the city of Golmud in Tibet for contact tracing.

The document featured a VBA macro that runs through rundll32.exe to retrieve a second stage payload, Cobalt Strike, and load it into memory.

However, instead of just using Cobalt Strike as their primary attack toolkit, they used it to download Manjusaka implants, which depending on the host architecture can be EXE (Windows) or ELF (Linux).

“Cisco Talos recently discovered a new attack framework called ‘Manjusaka’ used in the wild that has the potential to spread across the threat landscape. This framework is being touted as a knockoff of the Cobalt Strike framework,” researchers warn. CiscoTalos.

Manjusaka Abilities

Windows and Linux versions of the implant have almost the same capabilities and implement similar communication mechanisms.

The implants include a RAT and a file management module, each with distinct capabilities.

The RAT supports executing arbitrary commands via “cmd.exe”, collects credentials stored in web browsers, WiFi SSID and passwords, and discovers network connections (TCP and UDP), account names, local groups, etc.

Manjusaka Order Execution System
Manjusaka Order Execution System (Cisco)

Moreover, it can steal Premiumsoft Navicat credentials, capture screenshots of current desktop, list running processes and even check hardware and thermal specifications.

The file management module can perform file enumeration, create directories, get full file paths, read or write file contents, delete files or directories, and move files between locations.

File management capabilities, EXE on the left, ELF on the right
File management capabilities, EXE on the left, ELF on the right (Cisco)

A change of tools

Right now, it looks like Manjusaka is tentatively being deployed in the wild for testing, so its development is probably not in its final stages. However, the new framework is already powerful enough for real-world use.

Cisco notes that its researchers found a design diagram on a promotional message from the malware author, describing components that were not implemented in the sampled releases.

This means that they are not available in the “free” version used in the analyzed attack or that they have not yet been completed by the author.

“This new attack framework contains all the functionality one would expect from an implant, however, it is written in the most modern and portable programming languages.

The framework developer can easily integrate new target platforms like MacOSX or more exotic versions of Linux like those running on embedded devices.

The fact that the developer has released a fully functional version of C2 increases the chances of wider adoption of this framework by malicious actors. – Cisco Talos

The decoy document is written in Chinese, and so are the malware’s C2 menus and configuration options, so it’s safe to assume that its developers are based in China. The Talos OSINT has limited its location to the Guangdong region.

If this is indeed the case, we may soon see Manjusaka deployed in the campaigns of several Chinese APTs, as the country’s threat groups are known to share a common set of tools.

Recently, we reported on the rise of a post-exploitation toolkit dubbed “Brute Ratel”, which was also intended to replace the now aging and more easily detectable cracked versions of Cobalt Strike.

Threat actors are expected to continue to gradually move away from Cobalt Strike, and many alternative attack frameworks will likely appear, attempting to expand into the new market opportunity.

Comments are closed.