New Alchimist command and control framework targets Windows, macOS, and Linux Systems (14th October

Ref# AL2022_67 | Date: Oct 14th 2022

Description  

Researchers have recently stumbled upon a new attack framework which includes a command and control (C2) server called Alchimist and a new malware called Insekt that has been seen in attacks targeting Windows, Linux and macOS devices. 

Summary 

The C2 framework called Alchimist was discovered as a single file command and control framework. It consists of 64-bit executables files written in the GoLang programming language, which grants the framework the ability to target multiple platforms, evade detection with ease and render reverse engineering difficult. The Alchimist C2 features a web interface written in Simplified Chinese that can allow attackers to generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands. It supports custom infection mechanisms for the Insekt RAT malware on devices and assists attackers in building code snippets for the RATs deployment in Windows (through PowerShell) and Linux (through wget). 

Alchimist is also complemented by a new malware called Insekt. The Insekt remote access tool (RAT) is a new trojan also written the GoLang programming language that features a variety of remote access capabilities such as retrieving file sizes and OS information, run arbitrary commands via cmd.exe or bash, run arbitrary commands, start/stop taking screenshots, among others. These commands are directly instrumented by the Alchimist C2 server. Apart from its usual capabilities, Insekt can also execute shellcodes, perform port and IP scanning, manipulate SSH keys and serve as proxy connections. The Linux variant of Insekt also has the added functionality to list the contents of “.ssh” directory of a victim”s home directory and adds new SSH keys to the authorised_Keys file. By exploiting this, an attacker can communicate with the victim”s device from the C2 server over SSH.  

Because Insekt does not work on macOS yet, the Alchimist framework uses a Mach-O file, a 64-bit executable written in GoLang programming language that exploits CVE-2021-4034. This vulnerability is a privilege escalation flaw in Polkits pkexec utility and along with this exploit, the Mach-O file also drops a bind shell backdoor, providing an attacker with a remote shell on the victim device. However, this exploit only works if the pkexec utility is installed on the macOS device. The exploit can also work on Linux devices if the utility is installed. 

Indicators of Compromise: 

For a list of IOCs related to the attack framework, follow the URL for related IP addresses, URLs and hashes: https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/10/alchimist-offensive-framework.txt 

PDF Download: New-Alchimist-command-and-control-framework-targets-Windows-macOS-and-Linux-Systems.pdf

Remediation  

Because attackers are adopting C2 frameworks and GoLang malware to carry out attacks, it has become more of a challenge to detect these attacks. However, for some safety practices, users are advised to follow the steps below: 

  1. Layered security defense such as Anti-virus and Intrusion detection systems should be implemented. 

  1. Monitor the privileged operations in their environments and monitor for any unauthorized programs attempting to gain root privileges. 

  1. Monitor unusual traffic and be cautious about suspicious downloads on the network. 

  1. Have controlled download and file execution policies on endpoints and servers to control and protect organizational assets from threats. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

References