Manjusaka - Chinese Copy of Cobalt Strike and Sliver?

Diving into details

• Manjusaka—meaning cow flower—can target both Windows and Linux. 
• Its command and control (C2) is written in Golang and the user interface is in simple Chinese. It can generate custom configurations easily.
• The malware implant contains several RAT functionalities and a dedicated file management module.
• Some functionalities include executing arbitrary commands; capturing screenshots; pilfering browser credentials from Chrome, Opera, Brave, Edge, and others; and gaining extensive system information.

The campaign

• The campaign was initiated by a maldoc impersonating a report about a COVID-19 case in Golmut City, Tibet, for contact tracing. 
• The doc featured a VBA macro that fetches Cobalt Strike as a second payload and loads it in memory.
• However, Cobalt Strike was used to download Manjusaka implants depending on the victim’s architecture.

Cobalt Strike on the news

• A LockBit 3.0 affiliate was found exploiting the Windows Defender command-line tool to deploy Cobalt Strike payloads. The attacker gained initial access via the log4j flaw. 
• Earlier in July, the Matanbuchus malware was found dropping Cobalt Strike on compromised devices during a phishing campaign. Matanbuchus is a malware-as-a-service offering that drops executables directly into system memory.

The bottom line