Chinese hackers use new Cobalt Strike-like attack framework

guest · Aug 2, 2022

August 2, 2022

Researchers have observed a new post-exploitation attack framework used in the wild, named Manjusaka, which can be deployed as an alternative to the widely abused Cobalt Strike toolset or parallel to it for redundancy.

Manjusaka uses implants written in the cross-platform Rust programming language, while its binaries are written in the equally versatile GoLang.
Its RAT (remote access trojan) implants support command execution, file access, network reconnaissance, and more, so hackers can use it for the same operational goals as Cobalt Strike.
Click to expand...

Campaign and discovery
Manjusaka was discovered by researchers at Cisco Talos, who were called to investigate a Cobalt Strike infection on a customer, so the threat actors used both frameworks in that case.

However, instead of just using Cobalt Strike as their primary attack toolkit, they used it to download Manjusaka implants, which depending on the host's architecture, can be either EXE (Windows) or ELF files (Linux).

"Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework," warns the Cisco Talos researchers.
Click to expand...

A shift in tools

“This new attack framework contains all the features that one would expect from an implant, however, it is written in the most modern and portable programming languages.
The developer of the framework can easily integrate new target platforms like MacOSX or more exotic flavors of Linux as the ones running on embedded devices.

The fact that the developer made a fully functional version of the C2 available increases the chances of wider adoption of this framework by malicious actors.” - Cisco Talos
Click to expand...

Cisco Talos: Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.

The implants for the new malware family are written in the Rust language for Windows and Linux.

A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.

We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints.

We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.

Click to expand...

guest · Sep 3, 2022

More hackers adopt Sliver toolkit as a Cobalt Strike alternative
By Ionut Ilascu @Ionut_Ilascu - August 25, 2022

Threat actors are dumping the Cobalt Strike penetration testing suite in favor of similar frameworks that are less known. After Brute Ratel, the open-source, cross-platform kit called Sliver is becoming an attractive alternative.

However, malicious activity using Sliver can be detected using hunting queries drawn from analyzing the toolkit, how it works, and its components.
Click to expand...

Migrating away from Cobalt Strike
Facing stronger defenses against Cobalt Strike, threat actors have found alternatives. Palo Alto Networks observed them switch to Brute Ratel, an adversarial attack simulation tool designed to elude security products.

Over the past years, Cobalt Strike has grown in popularity as an attack tool for various threat actors, including ransomware operations, to drop on compromised networks “beacons” that allow moving laterally to high-value systems.
Click to expand...

A report from Microsoft notes that hackers, from state-sponsored groups to cybercrime gangs, are more and more using in attacks the Go-based Sliver security testing tool developed by researchers at BishopFox cybersecurity company.

“Microsoft has observed the Sliver command-and-control (C2) framework now being adopted and integrated in intrusion campaigns by nation-state threat actors, cybercrime groups directly supporting ransomware and extortion, and other threat actors to evade detection” - Microsoft
Click to expand...

Microsoft: Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks

We’ve seen these actors use Sliver with—or as a replacement for—Cobalt Strike. Given Cobalt Strike’s popularity as an attack tool, defenses against it have also improved over time. Sliver thus presents an attractive alternative for actors looking for a lesser-known toolset with a low barrier for entry.

In this blog, we share how the researchers behind Microsoft Defender Experts for Hunting analyzed Sliver and used both lab-simulated attacks and real-world threat activity to create hunting queries to surface Sliver and other C2 frameworks.
Click to expand...

guest · Nov 23, 2022

Nighthawk Likely to Become Hackers' New Post-Exploitation Tool After Cobalt Strike
By Ravie Lakshmanan - November 23, 2022

A nascent and legitimate penetration testing framework known as Nighthawk is likely to gain threat actors' attention for its Cobalt Strike-like capabilities.
Click to expand...

Enterprise security firm Proofpoint said it detected the use of the software in mid-September 2022 with a number of test emails sent using generic subject lines such as "Just checking in" and "Hope this works2."

However, there are no indications that a leaked or cracked version of Nighthawk is being weaponized by threat actors in the wild, Proofpoint researcher Alexander Rausch said in a write-up.
Click to expand...

Nighthawk, launched in December 2021 by a company called MDSec, is analogous to its counterparts Cobalt Strike, Sliver, and Brute Ratel, offering a red team toolset for adversary threat simulation. It's licensed for £7,500 (or $10,000) per user for a year.

"Nighthawk is the most advanced and evasive command-and-control framework available on the market," MDSec notes. "Nighthawk is a highly malleable implant designed to circumvent and evade the modern security controls often seen in mature, highly monitored environments."
Click to expand...

Indeed, the high detection rates associated with Cobalt Strike and Sliver have led Chinese criminal actors to devise alternative offensive frameworks like Manjusaka and Alchimist in recent months.

"Nighthawk is a mature and advanced commercial C2 framework for lawful red team operations that is specifically built for detection evasion, and it does this well," Rausch said.
Click to expand...

Proofpoint: Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice

By Alexander Rausch and the Proofpoint Threat Research Team - November 22, 2022
Key Takeaways

Nighthawk is an advanced C2 framework intended for red team operations through commercial licensing.

Proofpoint researchers observed initial use of the framework in September 2022 by a likely red team.

We have seen no indications at this time that leaked versions of Nighthawk are being used by attributed threat actors in the wild.

The tool has a robust list of configurable evasion techniques that are referenced as “opsec” functions throughout its code.

Proofpoint researchers expect Nighthawk will show up in threat actor campaigns as the tool becomes more widely recognized or as threat actors search for new, more capable tools to use against targets.

Click to expand...

guest · Jan 23, 2023

Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks
By Ravie Lakshmanan - January 23, 2023

The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open source alternative to Cobalt Strike and Metasploit.
Click to expand...

The findings come from Cybereason, which detailed its inner workings in an exhaustive analysis last week.

Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that's designed to be used by security professionals in their red team operations.
Click to expand...

In other words, the software is used as a second-stage to conduct next steps of the attack chain after already compromising a machine using one of the initial intrusion vectors such as spear-phishing or exploitation of unpatched flaws.

"Silver C2 implant is executed on the workstation as stage two payload, and from [the] Sliver C2 server we get a shell session," Cybereason researchers Loïc Castel and Meroujan Antonyan said. "This session provides multiple methods to execute commands and other scripts or binaries."
A hypothetical attack sequence detailed by the Israeli cybersecurity company shows that Sliver could be leveraged for privilege escalation, following it up by credential theft and lateral movement to ultimately take over the domain controller for the exfiltration of sensitive data.
Click to expand...

Cybereason: Sliver C2 Leveraged by Many Threat Actors

January 19, 2023

A new trend: Sliver C2 gets more and more traction from Threat Actors, often seen as an alternative from Cobalt Striker.

Modular framework: Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, etc).

Already associated with known threat actors and malware families: BumbleBee loader infections are often followed by the loading of Sliver C2. Threat actors like APT29 are also known to leverage this framework.

Unique network and system signatures: The detection of Sliver C2 is possible as this framework creates specific signatures when executing Sliver-specific features. Detections and fingerprinting of the infrastructure server also exists and are listed in this article.

Click to expand...

guest · Feb 7, 2023

Hackers Exploit Vulnerabilities in Sunlogin to Deploy Sliver C2 Framework
Ravie Lakshmanan - February 7, 2023

Threat actors are leveraging known flaws in Sunlogin software to deploy the Sliver command-and-control (C2) framework for carrying out post-exploitation activities.
Click to expand...

The findings come from AhnLab Security Emergency response Center (ASEC), which found that security vulnerabilities in Sunlogin, a remote desktop program developed in China, are being abused to deploy a wide range of payloads.

"Not only did threat actors use the Sliver backdoor, but they also used the BYOVD (Bring Your Own Vulnerable Driver) malware to incapacitate security products and install reverse shells," the researchers said.
The BYOVD method abuses a legitimate but vulnerable Windows driver, mhyprot2.sys, that's signed with a valid certificate to gain elevated permissions and terminate antivirus processes.

"It is unconfirmed whether it was done by the same threat actor, but after a few hours, a log shows that a Sliver backdoor was installed on the same system through a Sunlogin RCE vulnerability exploitation," the researchers said.
Click to expand...

The findings come as threat actors are adopting Sliver, a Go-based legitimate penetration testing tool, as an alternative to Cobalt Strike and Metasploit.

"Sliver offers the required step-by-step features like account information theft, internal network movement, and overtaking the internal network of companies, just like Cobalt Strike," the researchers concluded.
Click to expand...

ASEC (AhnLab Security Emergency response Center): Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations

February 6, 2023
Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit.
Click to expand...

Log in or Sign up

Chinese hackers use new Cobalt Strike-like attack framework

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Chinese hackers use new Cobalt Strike-like attack framework

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches