"Chinese Hackers Use New Cobalt Strike-like Attack Framework"
Researchers have discovered a new post-exploitation attack framework called Manjusaka in the wild, which can be used as an alternative to the widely used Cobalt Strike toolset or in tandem with it for redundancy. Manjusaka employs implants written in the cross-platform Rust programming language, with binaries written in the equally versatile GoLang programming language. Its RAT (Remote Access Trojan) implants enable command execution, file access, network reconnaissance, and other functions, allowing hackers to use it for the same operational goals as Cobalt Strike. Manjusaka was discovered by Cisco Talos researchers who were called in to investigate a Cobalt Strike infection on a customer, indicating that the threat actors used both frameworks in that case. The infection was delivered by a malicious document posing as a report on a COVID-19 case in Golmud City, Tibet, for contact tracing. The document included a VBA macro that runs rundll32.exe to retrieve and load a second-stage payload, Cobalt Strike, into memory. However, instead of just using Cobalt Strike as their primary attack toolkit, they used it to download Manjusaka implants, which can be either EXE (Windows) or ELF files (Linux), depending on the host's architecture. The Windows and Linux versions of the implant have nearly identical capabilities and use similar communication mechanisms. The implants are made up of a RAT and a file management module, each with its own set of capabilities. The RAT supports arbitrary command execution through "cmd.exe." It also collects credentials in web browsers and Wi-Fi SSID and passwords, as well as discovers network connections (TCP and UDP), account names, local groups, and more. This article continues to discuss findings surrounding the new post-exploitation attack framework.
Bleeping Computer reports "Chinese Hackers Use New Cobalt Strike-like Attack Framework"