Cobalt Strike is a legitimate vulnerability scanning and pentesting tool that has long been a favorite tool of hackers, and it’s even been adapted by hackers for Linux environments.
And now it’s inspiring imitators.
Cisco Talos researchers have disclosed a new toolset used in the wild by threat actors as an alternative to Cobalt Strike or Silver. Dubbed “Manjusaka,” which can be translated as “cow flower,” the framework has the potential to become “prevalent across the threat landscape,” according to researchers.
The software is shipped with advanced offensive capabilities that are very similar to Cobalt Strike, such as C2 (Command and Control) infrastructure, EXE and ELF implants, RAT (Remote Access Trojan), and many more.
The code is mostly written in Go for the C2 and Rust for the implants, two top modern programming languages with great features such as cheaper running costs, faster debugging, concurrency, easy packaging, and high compatibility across various systems.
Researchers have been observing new features in Manjusaka since its first public release in March 2022, which suggests an active development cycle. The developers provide a free version of the C2 binary, as a demo copy for evaluation with limited functionalities, and a design diagram to explain how the components communicate to each other:
Researchers found evidence that the authors might be located in the Guangdong region of China.
See the Top Vulnerability Scanning Tools
Malicious Actors Need New Post-exploitation Frameworks
Manjusaka can be used as an alternative to Cobalt Strike but also in parallel to it. Researchers discovered the tool while inspecting a malicious Microsoft Word Document, also known as “maldoc,” that contained a fake report of a COVID-19 outbreak but also a Cobalt Strike beacon.
The document itself had nothing extravagant for a maldoc, as the hackers leveraged macros to fetch malicious payloads and load them in memory. However, researchers found an implant written in Rust that contacted the same IP address as the Cobalt Strike beacon and a “fully functional C2 ELF,” written in Go. The analysis revealed it can generate implants according to specific configurations, a functionality you typically find in Cobalt Strike.
Researchers also found samples for Windows and Linux. Indeed, the implant feature is available as both EXE and ELF, with RAT functionalities such as arbitrary commands (through cmd.exe) and advanced discovery (foothold, TCP/UDP sniffing, credential thefts), and a file management module that can enumerate, create, move, or delete directories and paths.
Such fully-packed crimeware is particularly attractive for APT groups and other threat actors that need to speed up operations, especially when starting new campaigns. Because the tool is shared publicly, it’s much harder for analysts and security vendors to attribute the attacks to a known organization.
Cobalt Strike, which began as a security framework initially and has inspired Manjusaka, is also increasingly popular with cybercriminals. However, the multiple cracked versions used in the wild are not maintained and are more detectable.
As a result, there are new opportunities for attack frameworks, and that’s where well-maintained tools like Manjusaka come in.
How to Protect Against Manjusaka
Defenders and security teams can download IoCs (Indicators Of Compromise) on the Cisco-Talos repository.
Next-gen frameworks provide ever-growing capabilities and can evade classic detection by establishing rogue communication channels to transmit further instructions.
The developers made sure that the interface to pass commands is easy to use. Once the parameters are set, users can press the “generate button”:
Researchers found the same features in Windows and Linux binaries, and a copy of the C2 server used by the attackers on GitHub.
The developers probably made the effort of using modern programming languages and imitated the most popular legitimate frameworks to target more threat actors and operating systems.
Layered security is strongly recommended, which can include strong password policy, aggressive patch management, network segmentation, and the least privilege principle, or “zero trust.”
It’s critical to monitor endpoint activity to spot unusual processes and behaviors. More than ever, there’s a huge business for initial access and post-exploitation, and APT groups will likely continue to adopt new tools like Manjusaka to ease their work and cover their tracks.