Cisco Umbrella

Enterprise network security

Cybersecurity Threat Spotlight

September’s Threats: MuddyWater, Manjusaka, and SocGholish

Author avatar of Artsiom HolubArtsiom Holub
• 5 minute read
View blog >

In this month’s edition of Cybersecurity Threat Spotlight, we’re digging into three of the cyberthreats currently impacting users: the APT MuddyWater, the RAT Manjusaka and the malvertising campaign SocGholish.

Want to learn more about how Cisco Umbrella helps protect users? Request a free demo today!

MuddyWater

Threat Type: APT

Delivery and Exfiltration:

Graphic showing the attack chain for MuddyWater, which is: vulnerable server to Log4j exploitation to webshell to persistence to credential theft to command and control (C&C). The graphic indicates that Cisco protects users from command and control.

Description: MuddyWater (also known as MERCURY) is an APT which has primarily been used to attack Middle Eastern nations. However, attacks have also been observed against surrounding nations and further abroad. This includes targets in India and the U.S.A.

MuddyWater attacks are characterized by the use of both custom and well-known hacking tools as well as built-in operating system tools for its hands-on-keyboard attack. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.

MuddyWater Spotlight: In July, researchers observed MuddyWater using Log4j exploits with vulnerable SysAid Server instances as its initial access vector. SysAid provides IT management tools and might have been an attractive target for its presence in the targeted country.

Once initial access is achieved, the threat actor establishes persistence using several methods that include:

  • Dropping a web shell that provides effective and continued access to the compromised device
  • Adding a user and elevating their privileges to local administrator
  • Adding leveraged tools in the startup folders and ASEP registry keys, ensuring their persistence upon device reboot
  • Stealing credentials

Threat actors used different methods to communicate with their command-and-control (C2) server, including:

  • Built-in operating system tools like PowerShell
  • A tunneling tool called vpnui.exe, which is a unique version of the open-source tool Ligolo
  • Remote monitoring and management software called eHorus

Target Geolocations: Israel, India, Pakistan, Turkey, Kazakhstan, Armenia, Syria, Bahrain, South Africa, Sudan, U.S.A.
Target Data: Credentials
Target Businesses: Government Sector, Military
Exploits: CVE-2021-44228, CVE-2021-45046

Mitre ATT&CK for MuddyWater

Initial Access:
Exploit Public-Facing Application

Persistence:
Account Manipulation
Create Account
Registry Run Keys/Startup Folder

Evasion:
Virtualization/Sandbox Evasion

Credential Access:
OS Credential Dumping

Lateral Movement:
Remote Services
Software Deployment Tools

Command and Control:
Ingress Tool Transfer

Exfiltration:
Exfiltration Over Command and Control Channel

IOCs

Domains:
sygateway[.]com

IPs:
91[.]121[.]240[.]104  
164[.]132[.]237[.]64

Additional Information:
MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations

Which Cisco Products Can Block:
Cisco Secure Endpoint (AMP for Endpoints)
Cisco Secure Email
Cisco Secure Firewall/Secure IPS (Network Security)
Cisco Secure Malware Analytics (Threat Grid)
Cisco Umbrella
Cisco Secure Web Appliance

Manjusaka

Threat Type: RAT

Delivery and Exfiltration:

Graphic showing the attack chain for Manjusaka, which is: malspam to VBA macro to metasploit to Cobalt Strike to manjusaka implant to command and control (C&C). The graphic indicates that Cisco protects users from Cobalt Strike, Manjusaka Implant, and Command and Control.

Description: Manjusaka is a newly discovered attack framework. It includes a RAT with the C2 being an ELF binary written in GoLang. The implants are written in the Rust program language and consist of a variety of capabilities that can be used to control the infected endpoint, including executing arbitrary commands. Cisco Talos discovered EXE and ELF versions of the implant.

Functionality includes (but is not limited to):

  • Collecting browser credentials
  • Getting file information
  • Taking Screenshots
  • Obtaining comprehensive system information
  • Activating the file management module to carry out file-related activities

Manjusaka Spotlight: The researchers at Cisco Talos recently discovered a new attack framework being used in the wild. The framework – which goes by the name “Manjusaka” – is currently being advertised as a Cobalt Strike imitation and has the potential to become a prevalent threat in the near future.

Implants for this new malware family are written in the Rust language for Windows and Linux. Threat actors can find a freely available and fully functional version of the command and control (C2) written in GoLang with a user interface in Simplified Chinese. This makes it easy to create new implants with custom configurations, increasing the chance of wider adoption.

The observed campaign consisted of a distribution of a maldoc to targets, leading to the deployment of Cobalt Strike beacons on the infected systems. The infection chain involves the use of a maldoc masquerading as a report and advisory on the COVID-19 pandemic in Golmud City, one of the largest cities in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province – specifically citing a case of COVID-19 and the subsequent contact tracing of individuals.

Target Geolocations: Any
Target Data: Any
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for Manjusaka

Initial Access:
Phishing

Execution:
Command and Scripting Interpreter

Defense Evasion:
Process Injection

Credential Access:
OS Credential Dumping
Credentials from Password Stores
Credentials from Web Browsers

Discovery:
System Information Discovery
System Network Connections Discovery
File and Directory Discovery

Command and Control:
Web Service

IOCs

URLs:
https[://]39[.]104[.]90[.]45/2WYz
http[://]39[.]104[.]90[.]45/2WYz
http[://]39[.]104[.]90[.]45/IE9CompatViewList.xml
http[://]39[.]104[.]90[.]45/submit.php

IPs:
39[.]104[.]90[.]45

Additional Information:
Manjusaka: A Chinese sibling of Silver and Cobalt Strike

Which Cisco Products Can Block:
Cisco Secure Endpoint (AMP for Endpoints)
Cisco Secure Email
Cisco Secure Firewall/Secure IPS (Network Security)
Cisco Secure Malware Analytics (Threat Grid)
Cisco Umbrella
Cisco Secure Web Appliance (Web Security Appliance)

SocGholish

Threat Type: Drive-By

Description: SocGholish is a drive-by malware framework which has an end goal of achieving persistence, performing recon and establishing a C&C channel for follow-up malware. SocGholish infection spreads via compromised websites injected with a malicious JavaScript implant. This implant is responsible for tricking victims into loading and installing fake browser updates. Final malware ranges from RATs to ransomware.

SocGholish Spotlight: Drive-by campaigns have been part of the arsenal of malicious actors, ranging from initial access brokers to ransomware cybercriminal gangs. One such malware framework is SocGholish, which has been in use since at least 2017.

Recent activity of the group behind SocGholish draws a direct link with ransomware groups associated with WastedLocker, PhoenixLocker and Macaw. SocGholish framework is under constant development, which results in multiple types of injects as well as the frequent detection of newly infected or re-infected websites.

It also appears that the threat actors behind SocGholish use multiple TDS services which can maintain control over infected websites for a prolonged time, thus complicating the work of defenders. This malware also uses, amongst other tricks, a domain shadowing technique which used to be widely adopted by exploit kits like AnglerEK. The evolution of such campaigns calls for a layered security approach for the networks.

Target Geolocations: Any
Target Data: Any
Target Businesses: N/A
Exploits: N/A

Mitre ATT&CK for SocGholish

Initial Access:
Drive-By

Execution:
User Execution

Discovery:
File and Directory Discovery
System Information Discovery

Command and Control:
Application Layer Protocol: Web Protocols

Exfiltration:
Exfiltration Over C2 Channel

IOCs

Domains:
0609.fluctuations.trendylevels[.]com
04be.fluctuations.trendylevels[.]com
3a4e.moments.abledity[.]com
e489.state.thegshrevolution[.]com
0239.templates.victoryoverdieting[.]com
3365.templates.victoryoverdieting[.]com
7684.telegram.godsmightywhispers[.]com
9ac4.telegram.godsmightywhispers[.]com
3a43.roles.thepowerofgodswhisper[.]com
7f2e.telegram.godsmightywhispers[.]com
8a11.roles.thepowerofgodswhisper[.]com
6f6b.roles.thepowerofgodswhisper[.]com
687e.state.thegshrevolution[.]com
b883.roles.thepowerofgodswhisper[.]com
5019.activation.thepowerofhiswhisper[.]com
5b8c.roles.thepowerofgodswhisper[.]com
a006.roles.thepowerofgodswhisper[.]com
f352.roles.thepowerofgodswhisper[.]com
9dc1.roles.thepowerofgodswhisper[.]com
05fe.roles.thepowerofgodswhisper[.]com
a6b4.roles.thepowerofgodswhisper[.]com
d5ad.templates.victoryoverdieting[.]com
8766.roles.thepowerofgodswhisper[.]com
fdcd.roles.thepowerofgodswhisper[.]com
abff.roles.thepowerofgodswhisper[.]com
cb1f.roles.thepowerofgodswhisper[.]com
577e.roles.thepowerofgodswhisper[.]com
1191.roles.thepowerofgodswhisper[.]com
25cf.roles.thepowerofgodswhisper[.]com
af86.roles.thepowerofgodswhisper[.]com
d008.roles.thepowerofgodswhisper[.]com
a1b2.activation.thepowerofhiswhisper[.]com
639b.roles.thepowerofgodswhisper[.]com
f2ed.templates.victoryoverdieting[.]com
29fe.roles.thepowerofgodswhisper[.]com
life.roles.thepowerofgodswhisper[.]com
breatheinnew.life.roles.thepowerofgodswhisper[.]com
3503.fork.topgeargroup[.]shop
8bd2.templates.victoryoverdieting[.]com
f6f2.templates.victoryoverdieting[.]com
7549.fork.topgeargroup[.]shop
4072.fork.topgeargroup[.]shop
5391.fork.topgeargroup[.]shop
75a4.fork.topgeargroup[.]shop
fa9b.roles.thepowerofgodswhisper[.]com
5111.roles.thepowerofgodswhisper[.]com
f3da.roles.thepowerofgodswhisper[.]com
839c.roles.thepowerofgodswhisper[.]com
5785.roles.thepowerofgodswhisper[.]com
57a9.roles.thepowerofgodswhisper.[]com
2639.roles.thepowerofgodswhisper[.]com
1b64.geolocation.mynewtopboyfriend[.]space
45e0.roles.thepowerofgodswhisper[.]com
328c.roles.thepowerofgodswhisper[.]com
195f.roles.thepowerofgodswhisper[.]com
f655.roles.thepowerofgodswhisper[.]com
1f19.roles.thepowerofgodswhisper[.]com
6c04.roles.thepowerofgodswhisper[.]com
1f81.roles.thepowerofgodswhisper[.]com
f08a.roles.thepowerofgodswhisper[.]com
b37b.state.thegshrevolution[.]com
094f.roles.thepowerofgodswhisper[.]com
610a.roles.thepowerofgodswhisper[.]com
4cf0.roles.thepowerofgodswhisper[.]com

Additional Information:
What is SocGholish?
CyberCrime GiG Economy

Which Cisco Products Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

See security in action

Let one of our experts show you how Cisco can simplify your security and protect your users everywhere.

Schedule a demo

The researchers at Cisco Talos recently discovered a new attack framework being used in the wild. The framework – which goes by the name “Manjusaka” – is currently being advertised as a Cobalt Strike imitation and has the potential to become a prevalent threat in the near future.

Tweet this quote

Additional Resources

Suggested Blogs