Manjusaka Offensive Framework Detection: New Malware Family Quickly Catapults Into Operation

A novel attack framework called “Manjusaka” is currently making rounds in the wild. The name “Manjusaka,” which means “cow flower,” is far from denoting the high level of offense potential the attack framework bears. Deriving from ample evidence, the campaign operators behind this malware family are believed to be China-based.

Developers of Manjusaka have designed it to target Windows and Linux OS, with its attack capabilities resembling those of Cobalt Strike and Sliver.

Detect Manjusaka Hacking Framework

To identify possible attacks that employ Manjusaka offensive framework, opt for downloading a batch of Sigma rules. The content was released by our keen Threat Bounty Program’s Detection Engineers Nattatorn Chuensangarun and Emir Erdogan:

Detection of Manjusaka Framework

The rules enable the detection of the malicious user-agent, and communication between the Manjusaka C2 framework and the victim. The detections are available for the 26 SIEM, EDR & XDR platforms, aligned with the MITRE ATT&CK framework v.10.

SOC Prime’s library of detection content hosts detection items that can be integrated with 26+ SIEM, EDR, and XDR solutions. Press the Detect & Hunt button to browse through an ever-growing collection of 200,000+ future-proof detections available for platform members. Threat Hunters without an active SOC Prime Platform account can unlock the privileges of registered user access by hitting the Explore Threat Context button.

Detect & Hunt Explore Threat Context

Manjusaka Framework Description

The developers of a Manjusaka malware family now distribute a GoLang-written version of C2 with a User Interface in Simplified Chinese via GitHub for free. It allows the generation of new made-to-measure malicious implants hassle-free. The Rust-written implants incorporate a number of RAT capabilities, reads the analysis published by Cisco Talos. The security researchers report  EXE and ELF versions of the implant. The malware enables its operators to steal sensitive data such as the victim’s credentials, Wi-Fi SSID information, and other system information. Manjusaka comes with the capabilities to capture screenshots, manage files and directories, and execute arbitrary commands.

The studied malware examples indicate that Manjusaka is still in its development phase, indicative of bad news that in the nearest future, we may face its new variants that will also target other popular platforms such as macOS.

Adepts at cybersecurity are welcome to sign up for free at SOC Prime’s Detection as Code platform to detect the latest threats, improve the log source and MITRE ATT&CK coverage, and actively contribute to boosting their organization’s cyber defense capabilities. Promising Detection Engineers can join forces with the Threat Bounty Program – SOC Prime’s crowdsourcing initiative, to share our dedication to cooperating in achieving high standards of cybersecurity processes and raising resilience in the face of continuously emerging threats.