One Article Review
| Source |  CISCO Talos |
|---|---|
| Identifiant | 6089620 |
| Date de publication | 2022-08-02 08:00:14 (vue: 2022-08-02 13:05:59) |
| Titre | Manjusaka: A Chinese sibling of Sliver and Cobalt Strike |
| Texte |  By Asheer Malhotra and Vitor Ventura.Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.The implants for the new malware family are written in the Rust language for Windows and Linux.A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints.We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.IntroductionCisco Talos has discovered a relatively new attack framework called "Manjusaka" (which can be translated to "cow flower" from the Simplified Chinese writing) by their authors, being used in the wild.As defenders, it is important to keep track of offensive frameworks such as Cobalt Strike and Sliver so that enterprises can effectively defend against attacks employing these tools. Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. This disclosure from Talos intends to provide early notification of the usage of Manjusaka. We also detail the framework's capabilities and the campaign that led to the discovery of this attack framework in the wild.The research started with a malicious Microsoft Word document (maldoc) that contained a Cobalt Strike (CS) beacon. The lure on this document mentioned a COVID-19 outbreak in Golmud City, one of the largest cities in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. During the investigation, Cisco Talos found no direct link between the campaign and the framework developers, aside from the usage of the framework (which is freely available on GitHub). However, we could not find any data that could support victimology definition. This is justifiable considering there's a low number of victims, indicating the early stages of the campaign, further supported by the maldoc metadata that indicates it was created in the second half of June 2022.While investigating the maldoc infection chain, we found an implant used to instrument Manjusaka infections, contacting the same IP address as the CS beacon. This implant is written in the Rust programming language and we found samples for Windows and Linux operating systems. The Windows implant included test samples, which had non-internet-routable IP addresses as command and control (C2). Talos also discovered the Manjusaka C2 executable - a fully functional C2 ELF binary written in GoLang with a User Interface in Simplified Chinese - on GitHub. While analyzing the C2, we generated implants by specifying our configurations. The developer advertises it has an advers |
| Envoyé | Oui |
| Condensat | 0spawnto 999999bstagecleanup falsebcfgcaution not posthttppostchunk 60000maxgetsize createremotethread not rtlcreateuserthreadprocinject /submit 0maxdns 0proxy 1048576jitter createthread falsekilldate httpsport not setthreadcontext truebprocinject use virtualallocexbusescookies //39 //micsoft //wwwmicsoft /etc/passwd /global/favicon /ie9compatviewlist /proc/cpuinfo /proc/meminfo /proc/os /proc/stat /proc/uptime: /sys/class/hwmon /sys/class/net /sys/class/thermal/thermal /sys/devices/system/cpu/cpu*/cpufreq/scaling 0bprocinject 0procinject 0x191a 0x1a1a6e0429 0x21 0x4d 104 2022 24the 24which 301 302 360 443sleeptime 45/2wyz 45/2wyzhttp 45/global/favicon 45/ie9compatviewlist 45/submit :// :24 ability about access accessing accompanying account across action activate actively activities activity actor actors adaptive add additional address addresses admin administer adopted adoption adversary advertised advertises advisory after against agentsmozilla/5 all allocationmethod almost already also although always amp analysis analysisthe analytics analyzing and/or another any anyone appliance appliances approach apt arbitrary are around arranged as:33 asheer aside associated attack attacks attribution authentication author authorized authors automatically autonomous availability available base64 based beacon beacons beaconthe become been before beginning behavior behind being below besides best beta between binaries binariesfb5835f42d5611804aaa044150a20b13dcf595d91314ebef8cf6810407d85c64955e9bbcdf1cb230c5f079a08995f510a3b96224545e04c1b1f9889d57dd33c1urlshttps binary block blocks both box brave browser browsers build builds built button byte bytes c2server c=:&t=&k=&w=truethe cached calculating called calling campaign campaign: can capabilities capabilitiesthe carry case cases catering center chain chainwe chances characters china chinese chrome chromium cisco cities citing city clock cmd cobalt code collect collects com com/ydhcui/manjusaka combination coming command command: commands commands: communication communications communicationsthe community compatible; complemented components comprehensive compressed conclusionthe confidence config configuration configurations configured connect connected connecting connections considering consist consisted consisting consists contact contacting contain contained containing contains context contribute control cookie copy cores corporate correlation correspond corresponding could count counterpart course coverageways covid cow cpu crates create created creation credentials credentials: crimeware critical current custom customers dangerous data database date decided decoded decoding dedicated defend defenders defense defined definition delete deliver delivery demo dependencies dependency deployment depth described design desktop detail detailed detect detects developer developers development device devices diagram diligent direct directories directory disclosure discovered discovery disk distinguish distract distribution dll document documents does domains done download downloaded downloading drive dummy duo during each earlier early ease easily edge edu effectively either either:the elf email emails embedded employing emptyprocinject enables encoded encourage endpoint endpoint:global endpoints engagements ensure entered enterprises enumerates enumeration: environment equivalent essentially established etc evaluation even every exclusively exe execryptoscheme executable executable: execute executed executes executing execution exercises exespawnto exit exotic expect export extended external fact factor family features file file: files filling find fingerprint firefox/58mozilla/5 firepower fires firewall five fixed flavors flower folder following follows form formal format formerly found founddns foundhttpget foundhttppost foundhttpposturi foundproxy foundpublickey found |
| Tags | Malware Threat Guideline |
| Stories | APT 19 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.