Researchers have unearthed a new attack framework, called Manjusaka, which they warn is primed for adoption across the threat landscape.
The framework has a freely available command-and-control (C2) and extensive credential theft capabilities, and it was developed with the ability to easily create implants with custom configurations. With these factors in mind, researchers believe Manjusaka has potential to gain traction in the world of offensive technologies that are widely available to and used by crimeware and APT operators.
Manjusaka’s developer claims that it has an adversary implant framework similar to the Cobalt Strike or Sliver platforms, both of which are legitimate security tools that have been used by attackers for intrusion and exploitation operations. Cobalt Strike is a commercial adversary simulation platform used for security testing operations, while Sliver is meant to be used by red teams with implants supported on Windows, Linux and macOS. Researchers with Cisco Talos said that while the Manjusaka implants do have capabilities similar to those featured in these popular tools, "there are some deficiencies in their implementation when compared to Cobalt Strike and Sliver."
“As defenders, it is important to keep track of offensive frameworks such as Cobalt Strike and Sliver so that enterprises can effectively defend against attacks employing these tools,” said Asheer Malhotra and Vitor Ventura, researchers with Cisco Talos in Tuesday research. “Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world.”
Manjusaka has both EXE and ELF implant versions with various features that researchers said are typical for these types of framework implants, including capabilities to control infected endpoints via executing arbitrary commands, to create, manage and delete files on the system and to take screenshots of the victim’s desktop. The implants, once executed, collect comprehensive system information from the endpoint and information about the TCP and UDP network connections on the victim’s system (including local network addresses, remote addresses and owning Process IDs).
Manjusaka also has extensive credential theft abilities, sniffing out Wi-Fi login passwords, as well as credentials for Chromium-based browsers (such as Google Chrome, Chrome Beta, Microsoft Edge and more) and for Premium Navicat, a graphical database management utility that can connect to various database types, like MySQL, Oracle, Mondo and SQLite (of note, the ELF implant variant, though mostly similar to its Windows counterpart, only has the Premium Navicat credential theft capabilities).
“Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world.”
The framework is written in the modern programming languages, with the C2 written in Golang with a User Interface in Simplified Chinese, the written language used in mainland China, and the implants written in the Rust programming language for Windows and Linux. Since the framework was made public in March, Cisco Talos researchers said they observed a steady development cycle for introducing new features to Manjusaka.
Researchers first came across Manjusaka after spotting a malicious Microsoft Word document with a Cobalt Strike beacon, which was created in June and mentioned a COVID-19 outbreak in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. While looking at this malicious document injection chain, researchers found an implant used to instrument Manjusaka infections contacting the same IP address as the Cobalt Strike beacon, meaning the threat actor using the Cobalt Strike beacon in this campaign was also using Manjusaka framework implants.
Upon closer investigation into Manjusaka’s C2 executable on GitHub, researchers found that its developers had created a design diagram for the communications between different components of the framework; however, many of these components are not yet freely available in the C2 binary. For instance, the diagram details communication capabilities over HTTP, TCP and websockets, but the freely available C2 version can only communicate via HTTP. The design diagram is a clue that the framework may be under active development with more of these capabilities coming soon, or that the developer intends to provide the capabilities as a service or tool in the future, with the freely available C2 providing a demo copy of the framework for evaluation.
Manjusaka’s developers have also created the framework so it can easily integrate new targeted platforms, like MacOSX or “more exotic flavors of Linux as the ones running on embedded devices.” At the same time, researchers noted the simplicity of the framework's C2 deployment, which involves a single self-contained file running on Linux that can be deployed by anyone that can download it from GitHub. Researchers said that while usage observed in the wild of Manjusaka has been limited so far, its various capabilities and flexible, freely available framework could mean an uptick of adoption by cybercriminals in the future.
The popularity of tools like Cobalt Strike shows the demand for these types of frameworks, which are packed with capabilities and operationalized C2 infrastructure that reduce the legwork needed by adversaries while launching attacks. The use of publicly available or leaked frameworks also makes attribution more difficult for analysts, said Cisco Talos researchers, allowing cybercriminals to sidestep detection. In June 2021, researchers with Proofpoint said that malicious use of Cobalt Strike in campaigns is increasing, with threat actor use of the tool going up 161 percent from 2019 to 2020. Organizations need to stay diligent in protecting against these types of tools and frameworks used by cybercriminals, said Malhotra and Ventura.
“In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention,” said Malhotra and Ventura. “However, this should always be complemented by a good incident response plan which has been not only tested with tabletop exercises and reviewed and improved every time it's put to the test on real engagements.”