Cisco Talos experts have discovered a new offensive framework called Manjusaka, which they call “the Chinese brother of Sliver and Cobalt Strike.”
Manjusaka translates to “licorice” and is the name of a genus of flowering plants with over 20 species. The framework is written in Rust (the binaries are written in the equally versatile Go) and is advertised as the equivalent of Cobalt Strike, capable of running on both Windows and Linux. It is believed that its developer is located in the Chinese province of Guangdong.
“A fully functional version of C&C written in Go with a simplified Chinese user interface is freely available and allows you to easily create new implants with custom configurations, which increases the likelihood of a wider use of this framework by attackers,” experts warn.
Let me remind you that Sliver and Cobalt Strike are legitimate tools for pentesters and red teams, focused on exploitation and post-exploitation. Unfortunately, they have long been a favorite of hackers ranging from government APT groups to ransomware operators.
The researchers say that Manjusaka could be deployed as an alternative to Cobalt Strike, or in parallel with it, as a fallback. So, Manjusaka was discovered during an investigation into an incident in which a Cisco Talos client was infected with Cobalt Strike, but during the investigation it turned out that in this case, the attackers used not only this framework.
The company report says that the Windows and Linux versions of the malware have almost the same capabilities and similar communication mechanisms. Manjusaka implants consist of a RAT and a file manager module, each of which has its own characteristics.
RAT supports the execution of arbitrary commands through cmd.exe, collects credentials stored in browsers, SSIDs and Wi-Fi passwords, and detects network connections (TCP and UDP), account names, local groups, and so on. It can also steal Premiumsoft Navicat credentials, take screenshots of the current desktop, list running processes, and even check hardware specifications and temperatures.
The file manager module, in turn, is able to list files, create directories, find out the full paths to files, read and write the contents of files, delete files and directories, and move files.
Currently, Manjusaka appears to be only pre-deployed for testing, so development as a framework is clearly not yet complete. However, experts believe that Manjusaka is already ready and powerful enough to be used in real attacks.
In addition, the researchers found in the advertising post of the author of the malware a diagram that depicts components that have not yet been implemented in trial versions. It is not clear whether this means that they are not available in the “free” version used in the studied attack, or have not yet been finalized by the author.