Chinese hackers developed a new hacking framework, “Manjusaka” that collects Wi-Fi passwords, takes screenshots, and extracts comprehensive system information from users. The framework resembled a COVID-19 document, executing arbitrary commands and launching a file management module that accesses files from the user’s device. Researchers tracked the developer of this framework in the Guangdong region of China.
Hackers attacked users with a fraudulent Microsoft Word document (maldoc) resembling a COVID-19 outbreak report in Golmud City. The investigating team found that the maldoc led them to an implant that carried out the infections. Moreover, they found the same IP address as the CS beacon with Windows and Linux operating systems samples.
The implant is written in Rust programming language and consists of several remote access trojan (RAT). Researchers found a non-internet-routable IP address as command and control (C2). They further confirmed that the Manjusaka C2 executable is located on GitHub.
Manjusaka can affect Windows and Linux operating systems and has a framework like Cobalt Strike or Silver. The command and control (C2) are written in GoLang. Rust language was used to write the implants for the new malware family. Its user interface was in Simplified Chinese.
Researchers at Cisco Talos confirmed that Manjusaka was created in the second half of June this year. Seeing the low number of victims, it can be said that the hacking framework is not widespread. However, it may get adopted by more hackers in the future.
Developers investigating the hacking framework have provided a design diagram showing the communication channel between various components. They have discovered EXE and ELF versions of the implant. Talos could not maintain a direct connection between the domains and the authors or operators. They speculated that the framework may still be under development, the C2 copy, free to access by users, is a demo copy, and they are already offering these tools for purchase.
