An Escalated Campaign with Manic Menagerie 2.0

Category: Threat Actor Activity | Industry: Technology | Source: Unit 42

A threat campaign known as 'Manic Menagerie 2.0' has emerged as an active and evolved version of the original campaign, Manic Menagerie. Researchers from Unit42 have uncovered this new campaign which aims to compromise web resources and deploy coin miners for financial gain. Unit42 observed the targets of this campaign to be "web hosting and IT providers in the United States and European Union." Web shells play a prominent role in establishing and retaining the threat actor's foothold in the compromised environment, allowing them to exploit resources on the compromised hosts. By leveraging hijacked legitimate websites, the attackers can expand their inventory of command and control (C2) servers.

Unit42 identified the first instance of the Manic Menagerie 2.0 campaign during late 2020, in which threat actors would exploit "vulnerable web applications and IIS servers," leading to the deployment of their web shells. Multiple Microsoft Exchange vulnerabilities had been exploited by the threat actors including: ProxyNotShell (CVE-2021-26855 & CVE-2022-41040), ProxyShell (CVE-2021-34473), and ProxyToken (CVE-2021-33766). Once a foothold had been established the threat actors would proceed to initiate reconnaissance, escalate privileges, and add additional persistence mechanisms with a new user account. Several public and custom tools are deployed from the threat actors to aid in these actions including the RunasCs utility, PCHunter, a webshell deployment tool, loaders, variants of the potatoes local privilege escalation (LPE) suite, and others.

"The second distinct wave of attacks observed in the Manic Menagerie 2.0 campaign is characterized mainly by massive deployment of web shells to the hosted websites. "This allows the attacker to strengthen their foothold by enabling them future public access, and to hide their web shells deep in nested folders," said Unit42. During the 2022 year, the threat actors had a focus on deploying their web shells at scale. They enhanced their tactics, techniques, and procedures (TTPs) to quickly gather server information and deploy web shells at scale using their custom web shell deployment tool, sh.exe. "The role of this tool is to write web shells at scale to hosted websites, based on a preconfigured list of paths and legitimate hijacked websites on the server sharing the same public IP address," as analyzed by Unit42.