Cisco Talos researchers spotted a new attack framework that claims to be the sibling of Cobalt Strike. Named Manjusaka, the malware family is written in Rust. The evidence gathered indicates that the malware is either under active development or its components are being sold to other bad actors as a service.
Diving into details
Manjusaka—meaning cow flower—can target both Windows and Linux.
Its command and control (C2) is written in Golang and the user interface is in simple Chinese. It can generate custom configurations easily.
The malware implant contains several RAT functionalities and a dedicated file management module.
Some functionalities include executing arbitrary commands; capturing screenshots; pilfering browser credentials from Chrome, Opera, Brave, Edge, and others; and gaining extensive system information.
The campaign was initiated by a maldoc impersonating a report about a COVID-19 case in Golmut City, Tibet, for contact tracing.
The doc featured a VBA macro that fetches Cobalt Strike as a second payload and loads it in memory.
However, Cobalt Strike was used to download Manjusaka implants depending on the victim’s architecture.
Cobalt Strike on the news
A LockBit 3.0 affiliate was found exploiting the Windows Defender command-line tool to deploy Cobalt Strike payloads. The attacker gained initial access via the log4j flaw.
Earlier in July, the Matanbuchus malware was found dropping Cobalt Strike on compromised devices during a phishing campaign. Matanbuchus is a malware-as-a-service offering that drops executables directly into system memory.
The bottom line
The emergence of Manjusaka highlights the popularity of easily available offensive technology among cybercriminals. It has all the features of an implant and is written in the most modern programming language. Hence, organizations are recommended to implement in-depth cybersecurity defenses, complemented by a robust incident response strategy.