Cisco Talos has discovered a relatively new attack framework called “Manjusaka” (which can be translated to “cow flower” from the Simplified Chinese writing) by their authors, being used in the wild.
As defenders, it is important to keep track of offensive frameworks such as Cobalt Strike and Sliver so that enterprises can effectively defend against attacks employing these tools. Although Talos haven’t observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. This disclosure from Talos intends to provide early notification of the usage of Manjusaka.
The research started with a malicious Microsoft Word document (maldoc) that contained a Cobalt Strike (CS) beacon. The lure on this document mentioned a COVID-19 outbreak in Golmud City, one of the largest cities in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. During the investigation, Cisco Talos found no direct link between the campaign and the framework developers, aside from the usage of the framework (which is freely available on GitHub). However, Talos could not find any data that could support victimology definition. This is justifiable considering there’s a low number of victims, indicating the early stages of the campaign, further supported by the maldoc metadata that indicates it was created in the second half of June 2022.
While investigating the maldoc infection chain, Talos found an implant used to instrument Manjusaka infections, contacting the same IP address as the CS beacon. This implant is written in the Rust programming language and Talos found samples for Windows and Linux operating systems. The Windows implant included test samples, which had non-internet-routable IP addresses as command and control (C2). Talos also discovered the Manjusaka C2 executable — a fully functional C2 ELF binary written in GoLang with a User Interface in Simplified Chinese — on GitHub. While analyzing the C2, Talos generated implants by specifying our configurations. The developer advertises it has an adversary implant framework similar to Cobalt Strike or Sliver.
The developers have provided a design diagram of the Manjusaka framework illustrating the communications between the various components. A lot of these components haven’t been implemented in the C2 binary available for free. Therefore, it is likely that either:
- The framework is actively under development with these capabilities coming soon OR
- The developer intends to or is already providing these capabilities via a service/tool to purchase – and the C2 available for free is just a demo copy for evaluation.