Unit 42 details an active campaign named Manic Menagerie 2.0 that targeted US and EU web hosting and IT providers from late 2020 through late 2022, evolving from a prior campaign. The threat actor used coin mining on hijacked servers, mass web shell deployments to turn legitimate websites into C2 servers, and a mix of custom and legitimate tools to evade detection. #ManicMenagerie #ManicMenagerie2.0 #ProxyShell #ACSC #IIS #WebShell
Keypoints
- Campaign timeframe (late 2020–late 2022) and targets: US/EU hosting and IT providers, linked to the Manic Menagerie activity set (CL-CRI-0021).
- Coin miners deployed on hijacked servers to abuse resources and generate revenue.
- Mass deployment of web shells across compromised sites, enabling sustained access and potential use as C2 infrastructure.
- Exploitation of ProxyShell/Vulnerabilities in Exchange IIS/Web apps as additional access vectors.
- Privilege-escalation efforts (RunasCs, au.exe, JuicyPotato, PrintSpoofer, etc.) to add admin users and deepen access.
- DoS/impact techniques (fork bomb) to crash systems and facilitate persistence post-reboot.
- A wide toolkit of tools (dllnc, PCHunter, sh.exe, GoIIS, IIS1.asp) used for deployment, discovery, and backdoor development.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The attackers exploited Exchange/IIS vulnerabilities to gain footholds, e.g., “During 2021-2022, upon the public disclosure of multiple Microsoft Exchange Server vulnerabilities, the threat actor attempted to exploit the following vulnerabilities…”
- [T1505.003] Web Shell – Deploying and deploying web shells to hosted websites (e.g., “mass deployment of web shells to the hosted websites” and “ASPXSpy” deployments).
- [T1136] Create Account – Adding their own user to the Administrators group on IIS servers to escalate privileges, e.g., “to add their own user to the Administrators group.”
- [T1222.001] Windows File and Directory Permissions Modification – Modifying ACLs in bulk via a wrapper tool to lower security barriers, e.g., “change the web server’s ACL permissions in bulk.”
- [T1083] File and Directory Discovery – Traversing server folders to retrieve server configuration information (GoIIS functionality).
- [T1082] System Information Discovery – Using tools like PCHunter to gather Windows internals information and capabilities.
- [T1496] Resource Hijacking – Coin miners deployed to hijacked machines to monetize resources.
- [T1574] Hijack Execution Flow / Privilege Escalation – Use of multiple LPE tools (JuicyPotato, JuicyPotatoNG, EfsPotato, PetitPotam) to escalate privileges and maintain access.
Indicators of Compromise
- [File Hash] Web Shells – B00cd3b39bc2fd6a4077c679f050d97ed26ef20a1fe80ad3525ea0dbbd131f74, 0153246cf5e1d980d65d4920bdc5b2ac4c9aba6d5b6676f0e9bbde794dd04314, and 3 more hashes
- [File Hash] Compiled Web Shell DLLs – fcd44c32ae6078f2ba44c8c5e2efa3f9b788d4c6470a5ee9bd4944699fb8357a, 2e24c384f9ae7d09179bd41e51c4a9bb43102d170990e8e1576e79362b049ed6, 3 more hashes
- [File Hash] StreamEx Malware – a812d5472458c6fc993ae1e9e8b9f04e31d176e2ec9f5ce5ac48e32ed72fb414, 8402967a4b0bff39fc3ccc7a5b613734135551e9f6f32cf8c14fd6541a85d4d5
- [File Hash] Coin Miners – 4cdcec18ef5d3657b488f32912a8ccf4541891e4e4c8518afbc1e1b0e147e96b, db2712470ca60e874b15fa1e5ef667dbf6b755223ee5eb20843843115537e1c4, c67ce681677909aa5ae9abcf42c35faffee08cd73b5cee8d975fa07159f76c87, 308643ef08bd65afaba08315826985975515845fb5d6235db80a9bc5bdbb00f3
- [File Hash] SpoolPotato – 238f5771b8350633e258221e25223e52545709b74cbe2c9361e2b730f9dbfa00
- [File Hash] JuicyPotato – 5cb0710bef7c7b0ff226bf5ca12f499859505547696f22fa06ce1f47ea312d82
- [File Hash] x.bat – f20b0a716c3980c46a2996ae21e3566c0151202557417d171566b82e97057f2f
- [File Hash] x.tmp – b4de4eb9763ad18e060513048eed4ac39481cfe62127345d0bb058eb26a18528
- [File Hash] x.tmp (decrypted) – 2092ce3cef30198cb7833851a1b1805bbfe71474152c1357ecd27f71ce807527
- [File Hash] x – 6f77fea2e8e34fe3bb7134e110036e44e30a6d5144794669a6de21a30f3b7247
- [File Hash] x (decrypted) – db7290032479a53fa7a43262188132d572fab63d00d6d64d39f9256df6c10f55
- [File Hash] PCHunter – 5cb0710bef7c7b0ff226bf5ca12f499859505547696f22fa06ce1f47ea312d82
- [File Hash] PrintSpoofer – 609d04a4be3878328503c342f0d73c9ba5ff1c6c62f4c894516e50721207ef83
- [File Hash] PetitPotam – 419e8bfae7a0887fad0eb273791cf0d03c0ed01d1957c7dc796c6e0d1a43f3d6
- [File Hash] JuicyPotatoNG – 181daac34fd958aaadf1c9de1414cc3b331ef394ba47d5d2c77d30e9ac89ef17
- [File Hash] EfsPotato – ef8eae74cddea603c5051de7808f402943d674c6bb557db1eff6a50d25114b6b
- [File Hash] au.exe – b08a089f0e44c2703a9e0dc4f6ef8d9285a08241499ad21dbf7f1fbc262d22bd, 1d61842f5ecdca970f43246ce93f51fa4c85c00b93b6b9e37db17325077497eb
- [File Hash] RunasCs_net2 – 009a28656abb84a6e7794fdd721565a2e2ca2565870597962d67a8e2c3707241
- [File Hash] CVE-2018-8120 – 88f62989cb2f220db3d289ffea924423487b180fabe37711d2ef5c7f2e306f13
- [File Hash] CVE-2019-0803 – 068bfbb2dc6dadc3860eb16cc7ece97d935948f9b64ec66d5afda08e682be790
- [File Hash] CVE-2019-1458 – 3e2041c2efd120960c00bf794b5db4c967fc862e2d536ed5f7b5d5d1cf9bfda0
- [File Hash] CVE-2019-0623 – 74b95e6b8e02ea623849b6bcbf702922dd064ae06238b27cbb20504e38d85756
- [File Hash] Fork bomb – 6c569dd683df9600a098a93c9200d44778d535f58f5a82f4a58aeed3855fb9ca
- [File Hash] dllnc – 67fdef1b6fdf6fbec44e4df1608fb46dfbcfa3363bf62872ec132d000092a18f, ae35de63065040d752ef9fa76c553c0fa5c3cc5c8d67cf6981c66d3c8d86a6a6
- [File Hash] sh.exe – 9e761c6811679311c80291b7d65f23cdd53865f72af64b5a72ae1a86d9ef27d0
- [File Hash] GodPotato – 4e04472b21365c76d9cf0a324f889f723621fc42433a2f211a23dce728fa4a8a, 5a4a2272ce4388e56fb9d33255ac8c584d41c7099588ef9f39e4bee54be92992
- [File Hash] MyCACLS – 15c52422bfa461b01901953f5e0d9c77aa0f898c8de4841303a572c59a269674
- [File Path] PDB Paths – “F:upfile3389opentsdlladduserx64Releasedllnc.pdb”, “E:gitMyComEopPowerMyComEopPipeBuildQuantum.pdb”, “E:gitMyComEopPowerMyComEopPipeBuildMyComEop.pdb”, “D:project后门类dllncexencx64Releaseexenc.pdb”
Read more: https://unit42.paloaltonetworks.com/manic-menagerie-targets-web-hosting-and-it/