Jimmy Pham

Manjusaka: A new RAT implant malware

2022-08-27T00:00:00+00:00

Researchers with the Cisco Talos Intelligence Group have recently discovered a new family of RAT implant malware called Manjusaka being used in the wild. Advertised as an imitation of the Cobalt Strike framework, Manjusaka is a fully functional command and control (C2) framework written in GoLang with a GUI in Simplified Chinese.

Utilizing malicious Word documents (maldocs) to deliver beacon implants on infected systems, Manjusaka is freely available on GitHub and allows adversaries to easily generate new implants with custom configurations, increasing the likelihood for this framework to be widely adopted by threat actors.

A C2 server binary was also discovered available on GitHub, with features that allow adversaries to monitor and administer an infected endpoint, with additional capabilities to generate Rust implant payloads for Windows and Linux.

Distribution, Attribution, Initial Access

It’s important to distinguish between the developer of the malware and campaign operators. Since the C2 binary is fully functional, self contained and publicly available on GitHub, any threat actor could have downloaded it and used it in the campaign analyzed by Talos researchers. Thus, no formal attribution to any threat actors have yet been made.

In the Manjusaka campaign observed by Talos researchers, maldocs were discovered baited with news of a COVID-19 outbreak in Golmud City (Qinghai Province) which included a detailed timeline of the supposed outbreak.

Installation and Maintaining Persistence

The maldoc payload is executed in three stages:

Stage 1 is the initial VBA macro contained within the maldoc which executes rundll32.exe and injects Metasploit shellcodes into the process, downloading files from a remote location to proceed with Stage 2. The Stage 1 shellcode observed by Talos researchers reached out to 39[.]104[.]90[.]45/2WYz.

The Stage 2 payload downloaded from the remote location is another shellcode that consists of a XOR-encoded Cobalt Strike executable, along with shellcode to decode the executable and load the Cobalt Strike beacon into memory.

In Stage 3, the Cobalt Strike beacon executable is decoded by the previous stage and then executed. The beacon can reflectively load itself into the memory of the current process.

Operational Details

The C2 is an ELF binary file written in GoLang, while the implants are written in the Rust programming language as EXE and ELF versions, which can allow adversaries to remotely control the infected endpoint and execute arbitrary commands.

The malware implant sample observed by Talos researchers makes HTTP requests to a fixed address http[:]//39[.]104[.]90[.]45/global/favicon.png

The C2 reply is always the same, consisting of five bytes: 0x1a1a6e0429.

Based on the request and accompanying data received from the C2 server, the implant can allow the following functions to be executed on the infected endpoint:

Execute arbitrary commands on the system using “cmd.exe /c”.
Get file information for a specified file.
Get information about current network connections (TCP and UDP) established, including local network addresses, remote addresses and Process IDs (PIDs).
Collect browser credentials:
Specifically for Chromium-based browsers using the query: SELECT signon_realm, username_value, password_value FROM logins ;
Browsers targeted: Google Chrome, Chrome Beta, Microsoft Edge, 360 (Qihoo), QQ Browser (Tencent), Opera, Brave and Vivaldi.
Collect Wi-Fi SSID information: netsh wlan show profile key=clear
Take screenshots of the current desktop.
Obtain comprehensive system information from the endpoint, including:
System memory global information.
Processor power information.
Current and critical temperature readings from WMI using “SELECT * FROM MSAcpi_ThermalZoneTemperature”
Information on the network interfaces connected to the system: Names
Process and System times: User time, exit time, creation time, kernel time.
Process module names.
Disk and drive information: Volume serial number, name, root path name and disk free space.
Network account names, local groups.
Windows build and major version numbers.
Activate the file management module to carry out file-related activities.

The file management capabilities of the implant include:

File enumeration: List files in a specified location on disk. This is essentially the “ls” command.
Create directories on the file system.
Get and set the current working directory.
Obtain the full path of a file.
Delete files and remove directories on disk.
Move files between two locations. Copy the file to a new location and delete the old copy.
Read and write data to and from the file.

Indicators of Compromise

Hashes

Maldoc and CS beacon samples

58a212f4c53185993a8667afa0091b1acf6ed5ca4ff8efa8ce7dae784c276927 8e7c4df8264d33e5dc9a9d739ae11a0ee6135f5a4a9e79c354121b69ea901ba6 54830a7c10e9f1f439b7650607659cdbc89d02088e1ab7dd3e2afb93f86d4915

Rust samples

8e9ecd282655f0afbdb6bd562832ae6db108166022eb43ede31c9d7aacbcc0d8 a8b8d237e71d4abe959aff4517863d9f570bba1646ec4e79209ec29dda64552f 3f3eb6fd0e844bc5dad38338b19b10851083d078feb2053ea3fe5e6651331bf2 0b03c0f3c137dacf8b093638b474f7e662f58fef37d82b835887aca2839f529b

C2 binaries

fb5835f42d5611804aaa044150a20b13dcf595d91314ebef8cf6810407d85c64 955e9bbcdf1cb230c5f079a08995f510a3b96224545e04c1b1f9889d57dd33c1

IPs

39[.]104[.]90[.]45

URLs

https[://]39[.]104[.]90[.]45/2WYz

http[://]39[.]104[.]90[.]45/2WYz

http[://]39[.]104[.]90[.]45/submit.php

User Agents

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Mozilla/5.0 (Windows NT 8.0; WOW64; rv:58.0) Gecko/20120102 Firefox/58

Mozilla/5.0 (Windows NT 8.0; WOW64; rv:40.0) Gecko

Black Basta Ransomware

2022-07-15T00:00:00+00:00

Trend Micro analyzed recent Black Basta ransomware group campaigns and observed it using the banking trojan QakBot to gain initial access and exploiting PrintNightmare vulnerability (CVE-2021-34527) to perform privileged file operations.

Distribution and Initial Access

Black Basta has been observed using the banking trojan QakBot to gain initial access. QakBot is distributed using spear phishing emails attached with Excel files containing Excel 4.0 macros.

Once the recipient enables macros, QakBot DLL files are downloaded onto the host system, which is then executed via regsvr32.exe.

Installation and Maintaining Persistence

The QakBot DLL proceeds to perform process injection using explorer.exe, after which the injected process creates a scheduled task to maintain persistence.

Qakbot then installs a Cobeacon, a Cobalt Strike beacon backdoor variant, establishing a named pipe for communication.

Network Discovery and Defense Evasion

After QakBot has been installed, it proceeds to download and execute Cobeacon via a fileless PowerShell script containing several layers of obfuscation:

It’s first layer of obfuscation is a Base64-encoded PowerShell command, establishing a pipe for communication.
The second layer of obfuscation involves loading and reading of an archive file in memory
The third layer of obfuscation contains the decoded script for running the Base64-encoded shellcode

Privilege Escalation

In addition to OakBot and Cobeacon, Black Basta has also been observed exploiting the PrintNightmare vulnerability which targets the Windows Print Spooler Service (spoolsv.exe) to deliver its payload (spider.dll) and perform escalated

Lateral Movement

Black Basta threat actors were observed using the Coroxy backdoor alongside the network utility tool Netcat to move laterally across the network.

Data Exfiltration

The Cobeacon backdoor establishes a pipe for communication which may be possibly used for data exfiltration purposes once information has been collected from a targeted system. The Coroxy backdoor in conjunction with netcat is also another possible communication channel.

Operational Details

Once the attackers gained a wide foothold in the target network, they executed the Black Basta ransomware to encrypt files while the infected system is in safe mode, appending the encrypted files with the .basta extension. Black Basta ransomware injects into an existing Windows service and launches its decryptor executable.

The ransomware then utilizes the ChaCha20 algorithm to encrypt files. Each folder on the encrypted drive contains a readme.txt file containing information about the attack and links along with a unique ID to enter a negotiation chat session with the threat actors. The wallpaper is changed to display: “Your network is encrypted by the Black Basta group.”

Threat Actor Objectives

Black Basta ransomware group employs a double extortion scheme that involves stealing confidential data before encrypting it so they can threaten victims with the public release of the stolen data if payment is not made within seven days of the attack. To fulfil their extortion objectives, they release this information on their Tor website, Basta News, if the victim does not pay the ransom.

Indicators of Compromise

Hashes

Sha256	TrendMicro Detection Signature
01fafd51bb42f032b08b1c30130b963843fea0493500e871d6a6a87e555c7bac	Ransom.Win32.BLACKBASTA.YXCEP
72a48f8592d89eb53a18821a54fd791298fcc0b3fc6bf9397fd71498527e7c0e	Trojan.X97M.QAKBOT.YXCFH
580ce8b7f5a373d5d7fbfbfef5204d18b8f9407b0c2cbf3bcae808f4d642076a	Backdoor.Win32.COROXY.YACEKT
130af6a91aa9ecbf70456a0bee87f947bf4ddc2d2775459e3feac563007e1aed	Trojan.Win64.QUAKNIGHTMARE.YACEJT
c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166	TrojanSpy.Win32.QAKBOT.YXCEEZ
ffa7f0e7a2bb0edf4b7785b99aa39c96d1fe891eb6f89a65d76a57ff04ef17ab	TrojanSpy.Win32.QAKBOT.YACEJT
2083e4c80ade0ac39365365d55b243dbac2a1b5c3a700aad383c110db073f2d9	TrojanSpy.Win32.QAKBOT.YACEJT
1e7174f3d815c12562c5c1978af6abbf2d81df16a8724d2a1cf596065f3f15a2	TrojanSpy.Win32.QAKBOT.YACEJT
2d906ed670b24ebc3f6c54e7be5a32096058388886737b1541d793ff5d134ccb	TrojanSpy.Win32.QAKBOT.YACEJT
72fde47d3895b134784b19d664897b36ea6b9b8e19a602a0aaff5183c4ec7d24	TrojanSpy.Win32.QAKBOT.YACEJT
2e890fd02c3e0d85d69c698853494c1bab381c38d5272baa2a3c2bc0387684c1	TrojanSpy.Win32.QAKBOT.YACEJT
c9df12fbfcae3ac0894c1234e376945bc8268acdc20de72c8dd16bf1fab6bb70	Ransom.Win32.BLACKBASTA.YACEJ
8882186bace198be59147bcabae6643d2a7a490ad08298a4428a8e64e24907ad	Ransom.Win32.BLACKBASTA.YACEJ
0e2b951ae07183c44416ff6fa8d7b8924348701efa75dd3cb14c708537471d27	Ransom.Win32.BLACKBASTA.YACEJ
0d3af630c03350935a902d0cce4dc64c5cfff8012b2ffc2f4ce5040fdec524ed	Ransom.Win32.BLACKBASTA.YACEJ
df35b45ed34eaca32cda6089acbfe638d2d1a3593d74019b6717afed90dbd5f8	Ransom.Win32.BLACKBASTA.YACEJ
3fe73707c2042fefe56d0f277a3c91b5c943393cf42c2a4c683867d6866116fc	Ransom.Win32.BLACKBASTA.YACEJ
433e572e880c40c7b73f9b4befbe81a5dca1185ba2b2c58b59a5a10a501d4236	Ransom.Win32.BLACKBASTA.A.note
c4683097a2615252eeddab06c54872efb14c2ee2da8997b1c73844e582081a79	PUA.Win32.Netcat.B

IPs

24[.]178[.]196[.]44:2222

37[.]186[.]54[.]185:995

39[.]44[.]144[.]182:995

45[.]63[.]1[.]88:443

46[.]176[.]222[.]241:995

47[.]23[.]89[.]126:995

72[.]12[.]115[.]15:22

72[.]76[.]94[.]52:443

72[.]252[.]157[.]37:995

72[.]252[.]157[.]212:990

73[.]67[.]152[.]122:2222

75[.]99[.]168[.]46:61201

103[.]246[.]242[.]230:443

113[.]89[.]5[.]177:995

148[.]0[.]57[.]82:443

167[.]86[.]165[.]191:443

173[.]174[.]216[.]185:443

180[.]129[.]20[.]53:995

190[.]252[.]242[.]214:443

217[.]128[.]122[.]16:2222

URLs

elblogdeloscachanillas[.]com[.]mx/S3sY8RQ10/Ophn[.]png

lalualex[.]com/ApUUBp1ccd/Ophn[.]png

lizety[.]com/mJYvpo2xhx/Ophn[.]png

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Execution	T1059	Command and Scripting Interpreter
Defence Evasion	T1112 T1027 T1562.001	Modify Registry Obfuscated Files or Information Impair Defences: Disable or Modify Tools
Discovery	T1082 T1083	System Information Discovery File and Directory Discovery
Impact	T1490 T1489 T1486	Inhibit System Recovery Service Stop,Data Encrypted for Impact