Manjusaka Hacking Framework

Chinese hackers are using the new Manjusaka hacking framework similar to Cobalt Strike

The researchers unveiled a new offensive frame called Manjusaka which they call a “Chinese brother of Sliver and Cobalt Strike”.

“A fully functional version of command and control (C2), written in GoLang with a simplified Chinese user interface, is freely available and can easily generate new implants with custom configurations, increasing the likelihood of wider adoption. of this framework by malicious actors,” Cisco Talos said in a new report.

Sliver and Cobalt Strike are legitimate adversary emulation frameworks that have been used by threat actors to conduct post-exploitation activities such as network reconnaissance, lateral movement, and to facilitate the deployment of payloads of followed.

Written in Rust, Manjusaka – which means “cow flower” – is advertised as an equivalent of the Cobalt Strike framework with capabilities to target both Windows and Linux operating systems. Its developer is said to be located in the GuangDong region of China.

cyber security

“The implant consists of a host of Remote Access Trojan (RAT) capabilities that include some standard functionality and a dedicated file management module,” the researchers noted.

Some of the supported features involve executing arbitrary commands, harvesting browser credentials from Google Chrome, Microsoft Edge, Qihoo 360, Tencent QQ Browser, Opera, Brave and Vivaldi, harvesting passwords Wi-Fi password, capturing screenshots and getting full system information.

It is also designed to launch file manager module to perform a wide range of activities such as enumerating files as well as managing files and directories on the compromised system.

Manjusaka hack frame

On the other hand, the ELF variant of the backdoor, while including most of the functionality of its Windows counterpart, lacks the ability to harvest credentials from Chromium-based browsers and harvest passwords. Wi-Fi connection.

Also, part of the Chinese language framework is a C2 server executable coded in Golang and available on GitHub at “hxxps://github[.]com/YDHCUI/manjusaka.” A third component is an administration panel built on top of the Gin web framework that allows an operator to create the Rust implant.

The server binary, for its part, is designed to monitor and administer an infected terminal, in addition to generating the appropriate Rust implants depending on the operating system and issuing the necessary commands.

That said, the chain of evidence suggests that it is either under active development or its components are being offered to other players as a service.

cyber security

Talos said it discovered during its investigation a maldoc infection chain that leverages COVID-19-themed decoys in China to deliver Cobalt Strike beacons to infected systems, adding that the same threat actor also used the Manjusaka framework implants in the wild.

The findings come weeks after it emerged that malicious actors were observed abusing another legitimate adversary simulation software called Brute Ratel (BRc4) in their attacks in an attempt to stay under the radar and escape detection.

“The availability of the Manjusaka offensive framework is an indication of the popularity of offensive technologies widely available from crimeware and APT operators,” the researchers said.

“This new attack framework contains all the functionality one would expect from an implant, however, it is written in the most modern and portable programming languages. The framework developer can easily integrate new platforms -target forms like MacOSX or more exotic flavors of Linux like those that run on embedded devices.”


#Chinese #hackers #Manjusaka #hacking #framework #similar #Cobalt #Strike

Leave a Comment

Your email address will not be published.