Aug 2, 2022
Researchers have disclosed a new offensive framework called Manjusaka that they call a “Chinese sibling of Sliver and Cobalt Strike.”
“A fully functional version of the command-and-control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors,” Cisco Talos said in a new report.
Sliver and Cobalt Strike are legitimate adversary emulation frameworks that have been used by threat actors to carry out post-exploitation activities such as network reconnaissance, lateral movement, and facilitating the deployment of follow-on payloads.
Written in Rust, Manjusaka — meaning “cow flower” — is advertised as an equivalent to the Cobalt Strike framework with capabilities to target both Windows and Linux operating systems.
Its developer is believed to be located in the GuangDong region of China.
“The implant consists of a multitude of remote access trojan (RAT) capabilities that include some standard functionality and a dedicated file management module,” the researchers noted.
Some of the supported features involve executing arbitrary commands, harvesting browser credentials from Google Chrome, Microsoft Edge, Qihoo 360, Tencent QQ Browser, Opera, Brave, and Vivaldi, gathering Wi-Fi passwords, capturing screenshots, and obtaining comprehensive system information.
It’s also designed to launch the file management module to carry out a wide range of activities such as enumerating files as well as managing files and directories on the compromised system.
On the other hand, the ELF variant of the backdoor, while including most of the functionalities as its Windows counterpart, doesn’t incorporate the ability to collect credentials from Chromium-based browsers and harvest Wi-Fi login passwords.
Also, part of the Chinese language framework is a C2 server executable that’s coded in Golang and is available on GitHub at “hxxps://github[.]com/YDHCUI/manjusaka.” A third component is an admin panel built on the Gin web framework that enables an operator to create the Rust implant.
That said, the chain of evidence suggests that it’s either under active development or its components are offered to other actors as a service.
© CopyRights RawNews1st