Manjusaka

Manjusaka is a Chinese-language intrusion framework, similar to Sliver and Cobalt Strike, with an ELF binary written in GoLang as the controller for Windows and Linux implants written in Rust. First identified in 2022, Manjusaka consists of multiple components, only one of which (a command and control module) is freely available.[1]

ID: S1156
Type: MALWARE
Platforms: Linux, Windows
Contributors: Subhash Thapa
Version: 1.0
Created: 04 September 2024
Last Modified: 06 September 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Manjusaka has used HTTP for command and control communication.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Manjusaka can execute arbitrary commands passed to it from the C2 controller via cmd.exe /c.[1]

Enterprise T1555 Credentials from Password Stores

Manjusaka extracts credentials from the Windows Registry associated with Premiumsoft Navicat, a utility used to facilitate access to various database types.[1]

.003 Credentials from Web Browsers

Manjusaka gathers credentials from Chromium-based browsers.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Manjusaka communication includes a client-created session cookie with base64-encoded information representing information from the victim system.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Manjusaka data exfiltration takes place over HTTP channels.[1]

Enterprise T1083 File and Directory Discovery

Manjusaka can gather information about specific files on the victim system.[1]

Enterprise T1113 Screen Capture

Manjusaka can take screenshots of the victim desktop.[1]

Enterprise T1082 System Information Discovery

Manjusaka performs basic system profiling actions to fingerprint and register the victim system with the C2 controller.[1]

Enterprise T1016 System Network Configuration Discovery

Manjusaka gathers information about current network connections, local and remote addresses associated with them, and associated processes.[1]

References