Security researchers at Cisco Talos have shared startling details of a newly discovered, feature-rich attack framework that targets Windows, macOS, and Linux systems with a remote access trojan (RAT).
It has been dubbed the Alchimist attack framework, and researchers are moderately confident that this framework is used in the wild.
Findings Details
According to a Cisco Talos report authored by Chetan Raghuprasad, Asheer Malhotra, Vitor Ventura, and Matt Thaxton, Alchimist is a single-file C2 framework discovered on a server hosting an active file listing on the root directory and a set of post-exploitation tools. It is implemented in GoLang and implants the Insekt RAT on the compromised systems.
“Alchimist is a new C2 framework that can be rapidly deployed and operated with relatively low technical expertise by a threat actor.”
Nick Biasini – Head of Outreach at Cisco Talos
It stores resources to function as a C&C server in GoLang-based assets and lets adversaries generate wget and PowerShell code snippets targeting MS Windows and Linux. When it creates malicious payloads, the user can provide parameters to specify the preferred protocol, URL, or C&C IP to target OS or run the Insekt implant as a predomain value and daemon for the SNI protocol.
Alchimist Capabilities
According to Cisco Talos’ blog post, Alchimist is a 64-bit Linux executable offering a web interface in simplified Chinese to let its operators execute code on the infected devices, capture screenshots, create remote connections, generate/deploy malicious payloads, and perform a variety of different functions.
Once initialized, the Insekt implant performs seven main functions- obtaining file size and OS info, running commands through the command prompt, running commands as a different user, upgrading the implant, initiating sleep mode for various periods, etc.
Other post-exploitation tools researchers identified include a custom backdoor, a reverse proxy that targeted macOS (frp), psexec, fscan, netcat, and similar off-the-shelf tools. They also detected a Mach-O dropper, which contained an exploit for a privilege escalation vulnerability tracked as CVE-2021-4034 and found in Polkit’s Pkexec utility and Mach-O bind shell backdoor.
Furthermore, the RAT checks the system’s internet connectivity, performs port IP scanning and SSH manipulation, lists .ssh directory on Linux, and executes arbitrary commands on the operating system’s Shell.
Similarity with Manjusaka
Cisco researchers observed strong similarities between Alchimist and another recently detected self-contained attack framework dubbed Manjusaka. Researchers noted that although their features are identical, their implementation methods differ.
Another difference is the use of unusual protocol SNI in Alchimist. Both frameworks are designed/implemented to work as standalone GoLang-based executables. In both cases, the implant configuration is defined through the web UI written in Simplified Chinese.
Researchers described Alchimist as the latest proof of threat actors’ evolving urge to create alternatives to standard post-exploitation tools like Sliver and Cobalt Strike.