Manic Menagerie

Manic Menagerie is a software vulnerability that has been exploited in two major campaigns, with the initial one targeting web hosting providers primarily in Australia as reported by the Australian Cyber Security Centre (ACSC) in 2018. The first campaign was marked by the use of a web shell named xn.aspx, which was used to gain an initial foothold in the targeted systems. The second campaign, known as Manic Menagerie 2.0, initiated in late 2020 and expanded its targets to include companies in the United States and European Union. This campaign utilized similar tactics to the original, including the deployment of the same web shell, but also introduced new tools and methods. Throughout the course of Manic Menagerie 2.0, threat actors attempted to execute local privilege escalation proof-of-concept (PoC) tools, aiming to add their own users to the Administrators group in IIS servers. In April 2023, the attackers started deploying new modified tools and accessing compromised environments via a previously deployed web shell. They also used PCHunter, a tool reminiscent of older ones like GMER and Rootkit Unhooker, and a custom tool named sh.exe. One notable tactic was the deployment of a svchost.exe fork bomb, a type of denial-of-service (DoS) tool, which was also observed in the original Manic Menagerie campaign. The ACSC noted that multiple coin miners were deployed during both campaigns, indicating a financial motive for the attacks. However, the threat actors also showed an interest in maintaining persistent access to the compromised systems, as evidenced by their repeated attempts to escalate privileges and deploy web shells for remote access. These findings underscore the importance of maintaining robust cybersecurity defenses, particularly for web hosting providers and other high-value targets that may be vulnerable to such sophisticated and persistent threats.