Cybersecurity researchers at Cisco Talos have discovered a relatively new attack framework
" (which can be translated to "cow flower" from the Simplified Chinese
writing) by their authors, being used in the wild. This framework is advertised as an imitation of the Cobalt Strike
framework. "Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world."
A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available on github and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.
The malware implant is a remote access trojan (RAT) family called "Manjusaka." The C2 is an ELF binary written in GoLang, while the implants are written in the Rust programming language, consisting of a variety of capabilities that can be used to control the infected endpoint, including executing arbitrary commands. We discovered EXE and ELF versions of the implant. Both sets of samples catering to these platforms consist of almost the same set of RAT functionalities and communication mechanisms.
Some of the supported features involve executing arbitrary commands, harvesting browser credentials from Google Chrome
, Microsoft Edge
, Qihoo 360, Tencent QQ Browser, Opera, Brave
, and Vivaldi, gathering Wi-Fi passwords, capturing screenshots, and obtaining comprehensive system information.
This new attack framework contains all the features that one would expect from an implant, however, it is written in the most modern and portable programming languages. The developer of the framework can easily integrate new target platforms like MacOSX
or more exotic flavors of Linux
as the ones running on embedded devices. "The fact that the developer made a fully functional version of the C2 available increases the chances of wider adoption of this framework by malicious actors."