Analyzing Manjusaka Infrastructure

21 August 2022

Recently, Avast tweeted a GitHub link of indicators of compromise (IOC) linked to the Manjusaka Framework.

We have just published #Manjusaka #IOC along with unpacking information and scripts! Make sure to check them out here: https://t.co/9xeZmaQvHy

— Avast Threat Labs (@AvastThreatLabs) August 19, 2022

Cisco Talos released a blog earlier this month covering the framework in great detail, so I will not rehash their great work here.

https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html

Self-admittedly, I briefly glanced over the detection rules and scripts and immediately sought out the network indicators. One of the IP addresses was previously identified in the above Talos blog, and some of the others were not that interesting.

And Then There Was One

One of the IP addresses, 119.28.101[.]125 caught my eye when I queried it in Shodan.

Before we get to the open directory running Python’s Simple HTTP Server, I would like to start with port 80. In an attempt to throw researchers off the scent, Manjusaka will redirect to Microsoft’s website if you don’t use the “/manjusaka” endpoint.

On port 8081 we can see the aforementioned Python HTTP server, but we also see a directory listing for two interestingly named files, nohup.out and payload.ps1. We’ll come back to the PowerShell file later, but for those unaware of what nohup.out is (myself included), a brief explainer:

The nohup command essentially tells the Linux OS to not stop a command once started. Unaffected by a user logging out or disconnection, the process will keep running. The nohup.out file logs all messages/errors.

– me

Taking a look at the output file we see the user was likely running the Python server via the nohup command.

You Down With DHT?

These logs are rather old, but hopefully, you’ll bear with me and continue reading. I haven’t had a chance to validate each and every IP address in the log (it’s a few thousand lines), so I have redacted the addresses out of caution. The above screenshot provides a quick glimpse of the actor grabbing the PowerShell script from multiple IP addresses, failing to log in, as well as requests to fingerprints.bablosoft[.]com.

The fingerprint section of bablosoft allows users to change the fingerprint of their browser, another attempt to throw off researchers. There are certainly legitimate use cases for this service, but this situation doesn’t seem like one of them. Navigating to the bablosoft URL in the log leads to yet another IP address.

The returned IP address from the bablosoft service contains multiple DHT nodes on UDP ports 17642 and 23144.

*The Shodan history for this IP address starts at the beginning of August 2022, so this IP may not be directly linked with the Manjusaka infrastructure.

Payload.ps1

The PowerShell script was unfortunately underwhelming, as the code is readily available on GitHub and has been analyzed numerous times. Luckily for me, the code was not heavily encoded/encrypted, and we even have an XOR key of 35 to decode the string.

From the CyberChef output above, we can make out a User-Agent, and IP address but that’s about it. The reasoning for this is that we are likely looking at shellcode. Let’s continue our analysis.

For this analysis, I will be using SCDBG and Mandiant’s SpeakEasy tool to emulate the shellcode and extract additional information.

It’s important to use different tools for analysis, as one tool may provide information the other didn’t. Using scdbg, we were able to find the IP address and port, but no endpoint. SpeakEasy provided the full URL, plus strings that could be used for further analysis.

If you had a suspicion we were looking at Cobalt Strike shellcode, you were right! For good measure, let’s take a look at the suspect IP address in Shodan.

At this point, we have confirmation that the actor was likely using Manjusaka and hiding Cobalt Strike shellcode within a PowerShell script.

Instead of taking a look at the final IP address in Shodan, I will shamelessly plug a project I am working on to gain information on network indicators and hunt for command and control servers.

I suck at naming my projects, but this IP lookup provides a quick glance of information for network components. Additionally, VirusTotal identified 612.mal which is also associated with the Cobalt Strike beacon mentioned earlier.

Conclusion

Thanks to Avast for providing the indicators that served as a starting point for this research. If you look into the other indicators posted on GitHub and find something interesting, let me know!

Indicators

• 119.28.101[.]125 >> Port(s): 22, 80, 8081, 8089 >> ISP: Tencent Building, Kejizhongyi Avenue

• 121.5.236[.]127 >> Port(s): 8000 >> ISP: Tencent Building, Kejizhongyi Avenue