c2 - X-Industry - Red Sky Alliance2024-03-29T14:32:30Zhttps://redskyalliance.org/xindustry/feed/tag/c2New Chinese Command-and-Control Framework: Manjusakahttps://redskyalliance.org/xindustry/new-chinese-command-and-control-framework-manjusaka2022-08-05T13:24:07.000Z2022-08-05T13:24:07.000ZMichael Brousseauhttps://redskyalliance.org/members/MichaelBrousseau<div><p><a href="{{#staticFileLink}}10750232862,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10750232862,RESIZE_400x{{/staticFileLink}}" width="250" alt="10750232862?profile=RESIZE_400x" /></a>Chinese developers have created a new command-and-control (C2) framework with features and functionality similar to Cobalt Strike and Sliver. The new framework is called Manjusaka.</p>
<p>Cisco Talos researchers have discovered the C2 framework in the wild running in parallel with Cobalt strike. The initial investigation began with a Cisco Talos response to a Cobalt Strike beacon detection that was installed from a malicious Microsoft Word Document. The document was sent in an email as an attachment with a lure regarding a local COVID-19 and the need for contact tracing. The target was located in Golmud City, Tibet.</p>
<p>In the attack researched by Cisco Talos, Cobalt Strike was used to download Manjusaka implants. The implants are formatted as both EXE (Executable) and ELF (Executable and Linkable Format) files to target Windows and Linux environments respectively. According to Cisco Talos the functionality of the Linux and Windows variants of the implants are very similar. Cisco Talos has listed the known capabilities of Manjusaka as a Remote Access Trojan (RAT). These capabilities include:</p>
<ul>
<li><span style="font-size:10pt;">Ability to get file information for a specified file including the creation and last write times, file size, volume serial number and file index.</span></li>
<li><span style="font-size:10pt;">Ability to get information about current network connections (TCP & UDP).</span></li>
<li><span style="font-size:10pt;">Ability to get local network addresses, remote addresses and owning Process IDs (PIDs).</span></li>
<li><span style="font-size:10pt;">Ability to collect browser credentials from Chromium-based browsers.</span></li>
<li><span style="font-size:10pt;">Ability to collect Wi-Fi SSID information including passwords.</span></li>
<li><span style="font-size:10pt;">Ability to take screenshots of the current desktop.</span></li>
<li><span style="font-size:10pt;">Ability to obtain comprehensive system information from the endpoint including:</span>
<ul>
<li><span style="font-size:10pt;">System memory global information.</span></li>
<li><span style="font-size:10pt;">Processor power information.</span></li>
<li><span style="font-size:10pt;">Current and critical temperature readings.</span></li>
<li><span style="font-size:10pt;">Information on the network interfaces connected to the system.</span></li>
<li><span style="font-size:10pt;">Process and System times: User time, exit time, creation time, kernel time.</span></li>
<li><span style="font-size:10pt;">Process module names.</span></li>
<li><span style="font-size:10pt;">Disk and drive information including serial number, name, root path name and disk free space.</span></li>
<li><span style="font-size:10pt;">Network account names and local groups.</span></li>
<li><span style="font-size:10pt;">Windows build and major version numbers.</span></li>
</ul>
</li>
<li><span style="font-size:10pt;">Activate file management modules which have the following capabilities:</span>
<ul>
<li><span style="font-size:10pt;">File enumeration: List files in a specified location on the disk, similar to an “ls” command.</span></li>
<li><span style="font-size:10pt;">Create directories.</span></li>
<li><span style="font-size:10pt;">Get and set the current working directory.</span></li>
<li><span style="font-size:10pt;">Obtain the full path of a file.</span></li>
<li><span style="font-size:10pt;">Delete files and remove directories on a disk</span></li>
<li><span style="font-size:10pt;">Move files between two locations.</span></li>
<li><span style="font-size:10pt;">Read and write data to and from a file.</span></li>
</ul>
</li>
</ul>
<p>The ELF variant has many of the same capabilities however, according to Cisco Talos, it cannot collect credentials from Chromium-based browsers or harvest Wi-Fi login credentials.<a href="#_ftn1">[1]</a><a href="{{#staticFileLink}}10750242079,RESIZE_710x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}10750242079,RESIZE_584x{{/staticFileLink}}" width="500" alt="10750242079?profile=RESIZE_584x" /></a><a href="#_ftn1"></a></p>
<p>The campaign that has been used to distribute and infect target machines makes use of a malicious word document with meta data pointing to a creation date of July 2022. The recent creation date and limited exposure in the wild is likely because features are still in the developmental phase and being tested according to Bleeping Computer.<a href="#_ftn2">[2]</a></p>
<p>The new C2 framework makes use of modern and portable programming languages. The implants for both Windows and Linux targets are written in Rust, while the C2 server binary is written in GoLang. Cisco Talos researchers have found a copy of the C2 server binary hosted on GitHub. It is noteworthy that the C2 binary is publicly available meaning the developer of the malware and the operator of the campaign may not be the same actor.</p>
<p>The development of the new Manjusaka C2 framework illustrates the constant change in tactics and tools used by threat actors. The evolution of this tool and widespread availability of the framework means organizations should be on the lookout for new Manjusaka implants. Thus far campaigns have made use of phishing attacks using COVID-19 related lures. Cisco Talos recommends in-depth defense strategies based on an organizations risk analysis and a reliable incident response plan that has been tested and reviewed for application in real-world incidents.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html">https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-cobalt-strike-like-attack-framework/">https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-cobalt-strike-like-attack-framework/</a></p></div>