Cisco Talos researchers have discovered the C2 framework in the wild running in parallel with Cobalt strike. The initial investigation began with a Cisco Talos response to a Cobalt Strike beacon detection that was installed from a malicious Microsoft Word Document. The document was sent in an email as an attachment with a lure regarding a local COVID-19 and the need for contact tracing. The target was located in Golmud City, Tibet.
In the attack researched by Cisco Talos, Cobalt Strike was used to download Manjusaka implants. The implants are formatted as both EXE (Executable) and ELF (Executable and Linkable Format) files to target Windows and Linux environments respectively. According to Cisco Talos the functionality of the Linux and Windows variants of the implants are very similar. Cisco Talos has listed the known capabilities of Manjusaka as a Remote Access Trojan (RAT). These capabilities include:
- Ability to get file information for a specified file including the creation and last write times, file size, volume serial number and file index.
- Ability to get information about current network connections (TCP & UDP).
- Ability to get local network addresses, remote addresses and owning Process IDs (PIDs).
- Ability to collect browser credentials from Chromium-based browsers.
- Ability to collect Wi-Fi SSID information including passwords.
- Ability to take screenshots of the current desktop.
- Ability to obtain comprehensive system information from the endpoint including:
- System memory global information.
- Processor power information.
- Current and critical temperature readings.
- Information on the network interfaces connected to the system.
- Process and System times: User time, exit time, creation time, kernel time.
- Process module names.
- Disk and drive information including serial number, name, root path name and disk free space.
- Network account names and local groups.
- Windows build and major version numbers.
- Activate file management modules which have the following capabilities:
- File enumeration: List files in a specified location on the disk, similar to an “ls” command.
- Create directories.
- Get and set the current working directory.
- Obtain the full path of a file.
- Delete files and remove directories on a disk
- Move files between two locations.
- Read and write data to and from a file.
The ELF variant has many of the same capabilities however, according to Cisco Talos, it cannot collect credentials from Chromium-based browsers or harvest Wi-Fi login credentials.
The campaign that has been used to distribute and infect target machines makes use of a malicious word document with meta data pointing to a creation date of July 2022. The recent creation date and limited exposure in the wild is likely because features are still in the developmental phase and being tested according to Bleeping Computer.
The new C2 framework makes use of modern and portable programming languages. The implants for both Windows and Linux targets are written in Rust, while the C2 server binary is written in GoLang. Cisco Talos researchers have found a copy of the C2 server binary hosted on GitHub. It is noteworthy that the C2 binary is publicly available meaning the developer of the malware and the operator of the campaign may not be the same actor.
The development of the new Manjusaka C2 framework illustrates the constant change in tactics and tools used by threat actors. The evolution of this tool and widespread availability of the framework means organizations should be on the lookout for new Manjusaka implants. Thus far campaigns have made use of phishing attacks using COVID-19 related lures. Cisco Talos recommends in-depth defense strategies based on an organizations risk analysis and a reliable incident response plan that has been tested and reviewed for application in real-world incidents.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings