{"id":22769,"date":"2022-08-03T22:48:51","date_gmt":"2022-08-03T22:48:51","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=22769"},"modified":"2022-08-04T16:18:17","modified_gmt":"2022-08-04T16:18:17","slug":"cobalt-strike-inspires-next-generation-crimeware","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/cobalt-strike-inspires-next-generation-crimeware\/","title":{"rendered":"Cobalt Strike Inspires Next-generation Crimeware"},"content":{"rendered":"\n

Cobalt Strike is a legitimate vulnerability scanning<\/a> and pentesting tool<\/a> that has long been a favorite tool of hackers<\/a>, and it’s even been adapted by hackers for Linux environments<\/a>.<\/p>\n\n\n\n

And now it’s inspiring imitators.<\/p>\n\n\n\n

Cisco Talos researchers have disclosed<\/a> a new toolset used in the wild by threat actors as an alternative to Cobalt Strike or Silver. Dubbed \u201cManjusaka,\u201d which can be translated as \u201ccow flower,\u201d the framework has the potential to become \u201cprevalent across the threat landscape,\u201d according to researchers.<\/p>\n\n\n\n

The software is shipped with advanced offensive capabilities that are very similar to Cobalt Strike, such as C2 (Command and Control) infrastructure, EXE and ELF implants, RAT (Remote Access Trojan), and many more.<\/p>\n\n\n\n

The code is mostly written in Go for the C2 and Rust for the implants, two top modern programming languages with great features such as cheaper running costs, faster debugging, concurrency, easy packaging, and high compatibility across various systems.<\/p>\n\n\n\n

Researchers have been observing new features in Manjusaka since its first public release in March 2022, which suggests an active development cycle. The developers provide a free version of the C2 binary, as a demo copy for evaluation with limited functionalities, and a design diagram to explain how the components communicate to each other:
<\/p>\n\n\n\n

Researchers found evidence that the authors might be located in the Guangdong region of China.<\/p>\n\n\n\n

See the Top Vulnerability Scanning Tools<\/a><\/p>\n\n\n\n

Malicious Actors Need New Post-exploitation Frameworks<\/strong><\/h2>\n\n\n\n

Manjusaka can be used as an alternative to Cobalt Strike but also in parallel to it. Researchers discovered the tool while inspecting a malicious Microsoft Word Document, also known as \u201cmaldoc,\u201d that contained a fake report of a COVID-19 outbreak but also a Cobalt Strike beacon.<\/p>\n\n\n\n

The document itself had nothing extravagant for a maldoc, as the hackers leveraged macros<\/a> to fetch malicious payloads<\/a> and load them in memory. However, researchers found an implant written in Rust that contacted the same IP address as the Cobalt Strike beacon and a \u201cfully functional C2 ELF,\u201d written in Go. The analysis revealed it can generate implants according to specific configurations, a functionality you typically find in Cobalt Strike.<\/p>\n\n\n\n

Researchers also found samples for Windows and Linux. Indeed, the implant feature is available as both EXE and ELF, with RAT functionalities such as arbitrary commands (through cmd.exe) and advanced discovery (foothold, TCP\/UDP sniffing, credential thefts), and a file management module that can enumerate, create, move, or delete directories and paths.<\/p>\n\n\n\n

Such fully-packed crimeware is particularly attractive for APT groups<\/a> and other threat actors that need to speed up operations, especially when starting new campaigns. Because the tool is shared publicly, it\u2019s much harder for analysts and security vendors to attribute the attacks to a known organization.<\/p>\n\n\n\n

Cobalt Strike, which began as a security framework initially and has inspired Manjusaka, is also increasingly popular with cybercriminals. However, the multiple cracked versions used in the wild are not maintained and are more detectable.<\/p>\n\n\n\n

As a result, there are new opportunities for attack frameworks, and that’s where well-maintained tools like Manjusaka come in.<\/p>\n\n\n\n

How to Protect Against Manjusaka<\/strong><\/h2>\n\n\n\n

Defenders and security teams can download IoCs (Indicators Of Compromise) on the Cisco-Talos repository<\/a>.<\/p>\n\n\n\n

Next-gen frameworks provide ever-growing capabilities and can evade classic detection by establishing rogue communication channels to transmit further instructions.<\/p>\n\n\n\n

The developers made sure that the interface to pass commands is easy to use. Once the parameters are set, users can press the \u201cgenerate button\u201d:
<\/p>\n\n\n\n

Researchers found the same features in Windows and Linux binaries, and a copy of the C2 server used by the attackers on GitHub<\/a>.<\/p>\n\n\n\n

The developers probably made the effort of using modern programming languages and imitated the most popular legitimate frameworks to target more threat actors and operating systems.<\/p>\n\n\n\n

Layered security is strongly recommended, which can include strong password policy, aggressive patch management<\/a>, network segmentation<\/a>, and the least privilege principle, or “zero trust<\/a>.” <\/p>\n\n\n\n

It\u2019s critical to monitor endpoint activity<\/a> to spot unusual processes and behaviors<\/a>. More than ever, there\u2019s a huge business for initial access and post-exploitation, and APT groups will likely continue to adopt new tools like Manjusaka to ease their work and cover their tracks.<\/p>\n\n\n\n

See the Top Endpoint Detection & Response (EDR) Solutions<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n