3 August 2022

Hackers caught using offensive framework similar to Cobalt Strike


Hackers caught using offensive framework similar to Cobalt Strike

Cisco’s Talos threat intelligence research team has discovered a new attack tool similar to the Cobalt Strike and Sliver frameworks, which has been utilized in a malicious campaign using COVID-19-themed documents as a lure.

Dubbed “Manjusaka” (meaning "cow flower") by its authors, the framework uses implants written in the cross-platform Rust programming language, while its binaries are written in GoLang. The framework was discovered during the investigation into a security incident involving a Cobalt Strike beacon, indicating that an attacker used both tools in that case.

Manjusaka comes in versions for Windows and Linux operating systems (EXE and ELF versions), which offer a set of RAT functionalities and communication mechanisms. These include the capability to execute arbitrary commands, collect data about the current network connections (TCP and UDP) established on the system, collect browser credentials from Chromium-based browsers, Wi-Fi SSID information, including passwords, Premiumsoft Navicat credentials, obtain system information from the endpoint.

The ELF variant offers pretty much the same set of functionalities as its Windows counterpart, except the ability to gather credentials from Chromium-based browsers and harvest Wi-Fi login credentials. Both versions contain functionally equivalent file management modules that are used exclusively for managing files and directories on the infected system.

The researchers said that Manjusaka appears to be under development, and, as for its creator, some clues suggest that they are located in the GuangDong region of China.

“The availability of the Manjusaka offensive framework is an indication of the popularity of widely available offensive technologies with both crimeware and APT operators. This new attack framework contains all the features that one would expect from an implant, however, it is written in the most modern and portable programming languages. The developer of the framework can easily integrate new target platforms like MacOSX or more exotic flavors of Linux as the ones running on embedded devices. The fact that the developer made a fully functional version of the C2 available increases the chances of wider adoption of this framework by malicious actors,” Cisco Talos concluded.

Back to the list

Latest Posts

Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022
Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

The group’s targets include defense and intelligence consulting companies, NGOs, IGOs, and higher education institutions.
16 August 2022
Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

In the observed campaign the attackers leveraged a self-extracting 7-Zip file, which was downloaded via the system’s default browser.
15 August 2022