Cybersecurity researchers have discovered a new attack and C2 framework called ‘Alchimist,’ which appears to be actively used in attacks targeting Windows, Linux, and macOS systems.
The framework and all its files are 64-bit executables written in GoLang, a programming language that makes cross-compatibility between different operating systems a lot easier.
Alchimist offers a web-based interface using the Simplified Chinese language, and it’s very similar to Manjusaka, a recently-emerged post-exploitation attack framework growing popular among Chinese hackers.
Cisco Talos researchers who discovered both of these frameworks highlight their similarities but explain there are enough technical differences to deduce different authors developed them.
Brewing up attacks
Alchimist gives operators an easy-to-use framework that lets them generate and configure payloads placed on infected devices to remotely take screenshots, run arbitrary commands, and perform remote shellcode execution.
The framework supports building custom infection mechanisms for dropping the ‘Insekt’ remote access trojan (RAT) on devices and helps hackers by generating PowerShell (for Windows) and wget (for Linux) code snippets for the RATs deployment.
The Insekt payload can be configured on Alchimist’s interface using several parameters like C2 IP/URL, platform (Windows or Linux), communication protocol (TLS, SNI, WSS/WS), and whether it’ll run as a daemon or not.
The C2 address is hard-coded to the generated implant and contains a self-signed certificate generated during compilation. The C2 is pinged ten times every second, and if all attempts for a connection fail, the malware retries after an hour.
The Insekt RAT
While the Alchemist C2 servers deliver commands to execute, it is the Insekt implant that carries them out on infected Windows and Linux systems.
The malicious behavior that an Insekt implant can perform includes:
Get file sizes.
Get OS information.
Run arbitrary commands via cmd.exe or bash.
Upgrade the current Insekt implant.
Run arbitrary commands as a different user.
Sleep for periods defined by the C2.
Start/stop taking screenshots.
Additionally, Insekt can serve as a proxy (using SOCKS5), manipulate SSH keys, perform port and IP scans, write or unzip files to the disk, and execute shellcode on the host.
“The Linux variant of Insekt also has the functionality to list the contents of “.ssh” directory in the victim’s home directory and adds new SSH keys to the authorised_Keys file,” explains Cisco Talos in the report.
“Using this feature, the attacker can communicate with the victim’s machine from the C2 over SSH.”
Alchimist operators also can send pre-determined commands to the implant concerning user creation, admin user survey, terminal activation, and firewall disabling and configuration.
Insikt doesn’t work on macOS yet, so Alchimist covers this gap using a Mach-O file, a 64-bit executable written in GoLang that contains an exploit for CVE-2021-4034.
This is a privilege escalation flaw in Polkit’s pkexec utility, but the framework will not inject it into the target, meaning that for the attack to work, hackers must install the utility on the target machine.
Alchimist offers the same exploit for the Linux platform, too, as long as pkexec is installed on the system.
Rise of all-in-one frameworks
Alchimist is another attack framework available to cybercriminals who don’t have the knowledge or capacity to build all the components required for sophisticated cyberattacks.
Unfortunately, these ready-made frameworks are high-quality, rich in features, good at evading detection, and effective in dropping implants on targets.
With that said, they are even beneficial for more advanced threat actors who want to minimize their operational expenses and blend with random malicious traffic of other hackers to evade attribution.