Threat Research

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Securonix

Cisco Talos uncovered Manjusaka, a new offensive framework advertised as an imitation of Cobalt Strike, featuring Rust-based implants for Windows and Linux and a Go-based C2 with a Simplified Chinese UI that can generate configured implants. A COVID-19 themed maldoc campaign delivered Cobalt Strike beacons, and the same actors have been observed using both Cobalt Strike beacons and Manjusaka implants in the wild. #Manjusaka #CobaltStrike #Sliver #Golmud #Qinghai #Haixi

Keypoints

  • The research identifies Manjusaka as a new offensive framework with Rust-based implants and a Go-based C2 that includes a Chinese UI, marketed as a CS/Sliver-like tool.
  • A fully functional C2, written in Go with a Simplified Chinese UI, can generate new implants with custom configurations, facilitating wider adoption.
  • A COVID-19 themed maldoc campaign in Golmud (Qinghai Province) delivered Cobalt Strike beacons to infected endpoints, showing a link to CS beacons in the infection chain.
  • Talos observed the same threat actor using both the Cobalt Strike beacon and Manjusaka implants, indicating potential cross-use and evolution of tooling.
  • The Manjusaka implant family includes Windows and Linux variants in Rust, plus a Go-based C2 that can control the implants and issue commands.

MITRE Techniques

  • [T1059.003] Windows Command Shell – The implant can run arbitrary commands on the system using “cmd.exe /c”. “Execute arbitrary commands: The implant can run arbitrary commands on the system using ‘cmd.exe /c’.”
  • [T1083] File and Directory Discovery – Get file information for a specified file: Creation and last write times, size, volume serial number and file index. “Get file information for a specified file: Creation and last write times, size, volume serial number and file index.”
  • [T1049] System Network Connections Discovery – Obtain information about current network connections (TCP/UDP), including Local addresses, remote addresses and PIDs. “Collect information about the current network connections (TCP and UDP) established on the system, including Local network addresses, remote addresses and owning PIDs.”
  • [T1555.003] Credentials from Web Browsers – Collect browser credentials for Chromium-based browsers: “SELECT signon_realm, username_value, password_value FROM logins” (Chrome/Edge/etc).
  • [T1027] Obfuscated/Compressed Files and Information – The C2 beacon configuration is XOR encoded; stage payloads are decoded in memory. “The beacon’s config is XOR encoded with the 0x4D single byte key.”
  • [T1071.001] Web Protocols – C2 communications over HTTP, including a fixed URL and redirections. “The sample makes HTTP requests to a fixed address http[:]//39[.]104[.]90[.]45/global/favicon.png” and redirects to other domains.
  • [T1059.005] Visual Basic – Malicious Word macros execute rundll32 and inject shellcode (Stage 1) to download and stage further payloads. “The maldoc contains a VBA macro that executes rundll32.exe and injects Metasploit shellcode (Stage 1) into the process to download and execute the next stage (Stage 2) in memory.”

Indicators of Compromise

  • [IP] 39.104.90.45 – C2/server endpoint used in multiple stages of the campaign.
  • [Domain] micsoft.com, wwwmicsoft.com – Redirects observed during C2 communication.
  • [URL] http://39.104.90.45/global/favicon.png, http://39.104.90.45/IE9CompatViewList.xml, http://39.104.90.45/submit.php, http://39.104.90.45/2WYz – C2 or fetch endpoints referenced by implants.
  • [Hash] 58a212f4c53185993a8667afa0091b1acf6ed5ca4ff8efa8ce7dae784c276927, 8e7c4df8264d33e5dc9a9d739ae11a0ee6135f5a4a9e79c354121b69ea901ba6 – MALDOC and CS beacon samples (two examples).
  • [Hash] 54830a7c10e9f1f439b7650607659cdbc89d02088e1ab7dd3e2afb93f86d4915 – MALDOC and CS beacon samples (one more example).
  • [Hash] 8e9ecd282655f0afbdb6bd562832ae6db108166022eb43ede31c9d7aacbcc0d8, a8b8d237e71d4abe959aff4517863d9f570bba1646ec4e79209ec29dda64552f – RUST samples (two examples).
  • [Hash] 3f3eb6fd0e844bc5dad38338b19b10851083d078feb2053ea3fe5e6651331bf2, 0b03c0f3c137dacf8b093638b474f7e662f58fef37d82b835887aca2839f529b – RUST samples (two more).
  • [Hash] fb5835f42d5611804aaa044150a20b13dcf595d91314ebef8cf6810407d85c64, 955e9bbcdf1cb230c5f079a08995f510a3b96224545e04c1b1f9889d57dd33c1 – C2 binaries (two examples).
  • [URL] 39.104.90.45/2WYz, 39.104.90.45/IE9CompatViewList.xml, 39.104.90.45/submit.php – sampled endpoints used by payloads and C2.
  • [User-Agent] Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0), Mozilla/5.0 (Windows NT 8.0; WOW64; rv:58.0) Gecko/20120102 Firefox/58 – user agents observed in C2 communications.
  • [IP] 39.104.90.45 – repeated C2 endpoint listing.

Read more: https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html