Project Hyphae
Search

Chinese “Cow Flower” C2 framework has the potential to migrate across the globe.

Share This Post

A new attack framework has been discovered by Cisco Talos being used in the wild. Known by its authors as “Manjusaka,” (Simplified Chinese for ‘cow flower’) the attack is advertised as an imitation of the Cobalt Strike framework. The command and control framework is freely available and can generate new implants with custom configurations quickly and easily. These implants are written in the Rust language and can be used against Windows and Linux targets. Because of this, Talos Intelligence warns that this framework has the potential to be adopted by threat actors all over the world.

The observed malware implant, currently known as Manjusaka, is a Remote Access Trojan (RAT) written in GoLang. This malware is capable of executing arbitrary commands, pullling relevant system information, collecting information on network connections and remote IP addresses, collecting browser credentials and Wi-Fi SSID information, collecting database information and credentials, taking screenshots of the user’s screen and eventually activating the file management module to carry out malicious activities. These module activities can include file enumeration, collecting file information and details, creating new files and directories, modifying existing files and directories, and moving or deleting files and directories. This malware beacon communicates via HTTP requests to a fixed IP address (In Talos’ example incident, they discovered a copy of the C2 server binary hosted on GitHub) to generate a fixed session cookie, which is encoded with Base64. If the session cookie is not provided, the implant will receive a 302 code from the server, which redirects to http://micsoft[.]com, which then redirects the user to http://wwwmicsoft[.]com. At this time, it is believed that this redirection is a trick to misdirect investigators.

To read the full Cisco Talos notification on Manjusaka, including details of the Indicators of Compromise, capabilities, user interface details, COVID-related malicious lure documents, and details of the campaign that lead to the discovery of this framework, please visit their blog entry at: https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html



Reach out to our incident response team for help

More To Explore

Information Security News 4-22-2024

Cisco Duo Warns Third-Party Data Breach Exposed SMS MFA Logs Article Link: https://www.bleepingcomputer.com/news/security/cisco-duo-warns-third-party-data-breach-exposed-sms-mfa-logs/ Notorious Russian Hacking Unit Linked to Breach of Texas Water Facility Article

Shane Farmer April 22, 2024

Information Security News 4-15-2024

Roku Disclosed a Security Incident Impacting 576,000 Accounts Article Link: https://securityaffairs.com/161765/data-breach/roku-second-data-breach.html FBI Warns of Massive Wave of Road Toll SMS Phishing Attacks Article Link: https://www.bleepingcomputer.com/news/security/fbi-warns-of-massive-wave-of-road-toll-sms-phishing-attacks/

Shane Farmer April 15, 2024

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.