Cisco’s Talos threat intelligence research team has discovered a new attack tool similar to the Cobalt Strike and Sliver frameworks, which has been utilized in a malicious campaign using COVID-19-themed documents as a lure.
Dubbed “Manjusaka” (meaning "cow flower") by its authors, the framework uses implants written in the cross-platform Rust programming language, while its binaries are written in GoLang. The framework was discovered during the investigation into a security incident involving a Cobalt Strike beacon, indicating that an attacker used both tools in that case.
Manjusaka comes in versions for Windows and Linux operating systems (EXE and ELF versions), which offer a set of RAT functionalities and communication mechanisms. These include the capability to execute arbitrary commands, collect data about the current network connections (TCP and UDP) established on the system, collect browser credentials from Chromium-based browsers, Wi-Fi SSID information, including passwords, Premiumsoft Navicat credentials, obtain system information from the endpoint.
The ELF variant offers pretty much the same set of functionalities as its Windows counterpart, except the ability to gather credentials from Chromium-based browsers and harvest Wi-Fi login credentials. Both versions contain functionally equivalent file management modules that are used exclusively for managing files and directories on the infected system.
The researchers said that Manjusaka appears to be under development, and, as for its creator, some clues suggest that they are located in the GuangDong region of China.
“The availability of the Manjusaka offensive framework is an indication of the popularity of widely available offensive technologies with both crimeware and APT operators. This new attack framework contains all the features that one would expect from an implant, however, it is written in the most modern and portable programming languages. The developer of the framework can easily integrate new target platforms like MacOSX or more exotic flavors of Linux as the ones running on embedded devices. The fact that the developer made a fully functional version of the C2 available increases the chances of wider adoption of this framework by malicious actors,” Cisco Talos concluded.