Talos researchers observed a Chinese threat actor using a new offensive framework called Manjusaka (which can be translated to “cow flower” from the Simplified Chinese writing) that is similar to Sliver and Cobalt Strike tools.
The attack framework is advertised as an imitation of the Cobalt Strike framework, the experts reported that the implants for the new malware family are written in the Rust language for Windows and Linux.
The experts uncovered a campaign using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. The weaponized documents were crafted to start the infection process and led to the installation of Cobalt Strike beacons on infected systems.
“A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.” reads the analysis published by Cisco Talos. “We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.”
The researchers believe that the Manjusaka tool has the potential to become a popular post-exploitation tool like Slive and Cobal Strike.
The researchers states that malware implant is a RAT family called “Manjusaka,” while the C2 is an ELF binary written in GoLang available on GitHub at “hxxps://github[.]com/YDHCUI/manjusaka.” The C2 server and admin panel are built on the Gin Web Framework which allows operators to issue commands to the Rust-based implants/stagers. The implants support multiple capabilities, including executing arbitrary commands on the infected systems. Below is the full list of supported features:
The experts discovered both EXE and ELF versions of the implant.
The attribution of this campaign to Chinese threat actors is based on the following evidence:
“The availability of the Manjusaka offensive framework is an indication of the popularity of widely available offensive technologies with both crimeware and APT operators. This new attack framework contains all the features that one would expect from an implant, however, it is written in the most modern and portable programming languages.” concluded the analysis. “The developer of the framework can easily integrate new target platforms like MacOSX or more exotic flavors of Linux as the ones running on embedded devices. The fact that the developer made a fully functional version of the C2 available increases the chances of wider adoption of this framework by malicious actors.”
(SecurityAffairs – hacking, Manjusaka)