The researchers from Cisco have identified a new framework which they have dubbed Manjusaka, they even state that it could be the sibling of Cobalt Strike. It all started when they were investigating an malicious document, while doing the research, they discovered some code which sparked their interest even more.
Manjusaka RAT
According to the Cisco researchers, the C2 is an ELF binary written in the programming language GoLang. The implants used in the RAT are written in Rust.
The malware implant is a RAT family called “Manjusaka.” The C2 is an ELF binary written in GoLang, while the implants are written in the Rust programming language, consisting of a variety of capabilities that can be used to control the infected endpoint, including executing arbitrary commands. We discovered EXE and ELF versions of the implant. Both sets of samples catering to these platforms consist of almost the same set of RAT functionalities and communication mechanisms.
Cisco Talos Intelligence Group on Manjusaka
Communication
The Cisco researchers are noticed that there are some specific domains that are being used in the communication of Manjusaka. In the current campaign the domains try to mimic official Microsoft services.
The following examples can be seen in the Manjusaka report:
- micsoft[.]com
- wwwmicsoft[.]com
The report includes details on how the favicon.ico is being used in the investigated Manjusaka campaign.
The communication follows a regular pattern of communication, the implant will make a request to an URL which in this case is ‘/global/favicon.png’.
Cisco Talos Intelligence Group on Manjusaka
Another interesting fact is that for communication, a sequence of bytes can be expected as explained in the report:
Even though the request is an HTTP GET, it sends two bytes that are 0x191a as data. The reply is always the same, consisting of five bytes 0x1a1a6e0429. This is the C2 standard reply, which does not correspond to any kind of action on the implant.
Cisco Talos Intelligence Group on Manjusaka
- 0x1a1a6e0429
- 0x191a