Chinese Hackers Using New Manjusaka Hacking Framework Similar To Cobalt Strike


Researchers have unveiled a new offensive framework called Manjusaka, which they call a “Chinese sibling of Sliver and Cobalt Strike.”

“A fully functional version of the command-and-control (C2), written in GoLang with a user interface in simplified Chinese, is freely available and can easily generate new implants with custom configurations, increasing the likelihood of wider adoption of this framework.” by malicious actors,” Cisco Talos said in a new report.

splinter and Cobalt Strike are legitimate adversary emulation frameworks that have been used by threat actors to perform post-exploitation activities such as network exploration, lateral movement, and facilitating the deployment of follow-up payloads.

Written in Rust, Manjusaka – meaning “cow flower” – is advertised as an equivalent to the Cobalt Strike framework with capabilities to target both Windows and Linux operating systems. The developer is believed to be located in the GuangDong region of China.

“The implant consists of a large number of RAT (Remote Access Trojan) capabilities that include some standard functionality and a dedicated file management module,” the researchers noted.

Some of the supported functions include running arbitrary commands, collecting browser data from Google Chrome, Microsoft Edge, Qihoo 360, Tencent QQ Browser, Opera, Brave and Vivaldi, collecting WiFi passwords, taking screenshots and getting of comprehensive system information.

It is also designed to launch the file manager module to perform a wide variety of activities such as file inventory and manage files and folders on the compromised system.

On the other hand, the ELF variant of the backdoor, while most of the functionalities as its Windows counterpart, does not include the ability to collect credentials from Chromium-based browsers and collect Wi-Fi login passwords.

Also part of the Chinese language framework is a C2 server executable that is encoded in Golang and available on GitHub at “hxxps://github[.]com/YDHCUI/manjusaka.” A third component is an admin panel built on the Gin web framework that allows an operator to create the Rust implant.

The binary server, in turn, is designed to monitor and manage an infected endpoint, in addition to generating the appropriate Rust implants, depending on the operating system, and issuing the necessary commands.

That said, the chain of evidence suggests it is either under active development or its components are being offered as a service to other actors.

Talos said it made the discovery during its investigation of a maldoc infection chain that uses COVID-19-themed bait in China to deliver Cobalt Strike beacons to infected systems, adding that the same threat actor is also using the implants of the Manjusaka framework used in the wild.

The findings come weeks after it emerged that malicious actors have exploited another legitimate adversary simulation software called Brute Ratel (BRc4) in their attacks in an attempt to stay under the radar and evade detection.

“The availability of Manjusaka’s offensive framework is indicative of the popularity of widely available offensive technologies among both crimeware and APT operators,” the researchers said.

“This new attack framework contains all the features one would expect from an implant, yet it is written in the most modern and portable programming languages. The developer of the framework can easily integrate new target platforms such as MacOSX or more exotic flavors of Linux. running embedded devices.”