Manic Menagerie

Vulnerability Profile Updated 2 months ago
Download STIX
Preview STIX
Manic Menagerie is a software vulnerability that has been exploited in two major campaigns, with the initial one targeting web hosting providers primarily in Australia as reported by the Australian Cyber Security Centre (ACSC) in 2018. The first campaign was marked by the use of a web shell named xn.aspx, which was used to gain an initial foothold in the targeted systems. The second campaign, known as Manic Menagerie 2.0, initiated in late 2020 and expanded its targets to include companies in the United States and European Union. This campaign utilized similar tactics to the original, including the deployment of the same web shell, but also introduced new tools and methods. Throughout the course of Manic Menagerie 2.0, threat actors attempted to execute local privilege escalation proof-of-concept (PoC) tools, aiming to add their own users to the Administrators group in IIS servers. In April 2023, the attackers started deploying new modified tools and accessing compromised environments via a previously deployed web shell. They also used PCHunter, a tool reminiscent of older ones like GMER and Rootkit Unhooker, and a custom tool named sh.exe. One notable tactic was the deployment of a svchost.exe fork bomb, a type of denial-of-service (DoS) tool, which was also observed in the original Manic Menagerie campaign. The ACSC noted that multiple coin miners were deployed during both campaigns, indicating a financial motive for the attacks. However, the threat actors also showed an interest in maintaining persistent access to the compromised systems, as evidenced by their repeated attempts to escalate privileges and deploy web shells for remote access. These findings underscore the importance of maintaining robust cybersecurity defenses, particularly for web hosting providers and other high-value targets that may be vulnerable to such sophisticated and persistent threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Tool
Web Shell
Iis
Denial of Se...
Poc
Rootkit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
svchost.exeUnspecified
1
Svchost.exe is a malware that exploits and damages computer systems by injecting malicious code into various processes. This harmful program can infiltrate your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, di
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Manic Menagerie Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
a year ago
Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor