12.5 C
New York
Thursday, December 1, 2022

New Alchimist attack framework hits Windows, Linux and Mac – TechRepublic

Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below.
We recently updated our Terms and Conditions for TechRepublic Premium. By clicking continue, you agree to these updated terms.
Invalid email/username and password combination supplied.
An email has been sent to you with instructions on how to reset your password.
By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.
You will also receive a complimentary subscription to TechRepublic’s News and Special Offers newsletter and the Top Story of the Day newsletter. You may unsubscribe from these newsletters at any time.
All fields are required. Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).
New Alchimist attack framework hits Windows, Linux and Mac
Your email has been sent
The attack framework of probable Chinese origin used by cybercriminals has been discovered.
A standalone Command and Control (C2) server called “Alchimist” was recently discovered by Cisco Talos. The framework has been designed to run attacks via standalone GoLang-based executables that can be distributed easily. The framework found by Talos contains both the whole web user interface and the payloads.
Go programming language, also known as GoLang, becomes increasingly popular for developers looking to compile their code on multiple different systems and architecture. As an example, we recently wrote about the Sliver offensive framework, fully written in Go. It is therefore no wonder that more cybercriminals are also adopting it.
Alchimist, whose name has been given by its developer, uses GoLang-based assets, which are custom-made embedded packages, to store all the resources needed for its operations as a C2 server. During initialization, all its content is placed in hard coded folders, namely /tmp/Res for the web interface, HTML files and more folders, and /tmp/Res/Payload for its payloads for Windows and Linux operating systems.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
A self-signed certificate without any server name is also dropped in the /tmp folder (Figure A), together with its key for use in HTTPS communications. That certificate could be found on five different IP addresses on the Internet at the time of the research, all of them used for Alchimist.
Figure A
The Alchimist framework user web interface is written in English and simplified Chinese languages (Figure B).
Figure B
Most common features expected to handle Remote Administration Tool (RAT) malware are implemented in the interface, yet one stands out according to the researchers: The ability to generate PowerShell and wget code snippets for Windows and Linux systems. These commands might be embedded in malicious documents, LNK files or any other kind of files used for initial compromise, and download/install the additional payload provided by the framework: the Insekt RAT.
Several parameters are taken from the web user interface to generate the final payload. Those parameters are:
Once configured, the web interface sends a request to a URL of the current C2 server to request a new payload that is downloadable.
Insekt RAT is written in GoLang and compiled for Windows and Linux. The RAT provides the ability to get information about the operating system it runs on and file sizes information, sleep for predefined periods or upgrade itself.
In addition, it provides more aggressive functions such as providing a command-line cmd.exe to execute arbitrary commands. It also allows for executing commands as another user, executing shellcode, scanning IP addresses and ports, manipulating Secure Shell (SSH) keys, or enabling proxying. It is also able to enumerate files in a directory path.
The Linux version of Insekt also allows users to add new SSH keys to the authorized_Keys file, therefore allowing the attacker to communicate with the victimized machine over SSH.
Predefined sets of commands are also usable for the attacker’s ease, enabling faster interactions and avoiding typing mistakes.
Alongside Alchimist and Insekt, the researchers found tools for privilege elevation and exploitation on MacOSX platforms.
A Mach-O file found in the main folder allows to trigger an exploit for a privilege escalation vulnerability (CVE-2021-4034) on the pkexec utility, which is not installed on MacOSX by default. A bind shell backdoor is also available in that executable, to provide a remote shell to the threat actor.
More of such attack frameworks have been found lately. Manjusaka, a Chinese sibling of Sliver and Cobalt Strike, appeared in 2022, programmed in GoLang for its C2 part, while the payloads were made in Rust programming language. Rust, like GoLang, enables a developer to compile code on several different platforms very easily. It is expected to see more multiplatform frameworks written in Go and Rust programming languages.
The discovery of Alchimist stands as another indication that “threat actors are rapidly adopting off-the-shelf C2 frameworks to carry out their operations,” according to Cisco Talos.
The ease of use of such a framework will probably entice malware developers and threat actors to use more of those in the near future.
Security software should be deployed in order to detect the payloads and possible communications to Alchimist C2. The self-signed certificate used by the framework should raise immediate alerts when found in HTTPS communications.
Operating systems and software need to be kept up to date and patched, in order to avoid attackers using common vulnerabilities to compromise a system and get an initial foothold.
Multi-factor authentication also needs to be deployed for every internet-facing device or service, in order to avoid attacks using a single credential for access.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
New Alchimist attack framework hits Windows, Linux and Mac
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Windows 11 gets an annual update on September 20 plus monthly extra features. In enterprises, IT can choose when to roll those out.
Edge AI offers opportunities for multiple applications. See what organizations are doing to incorporate it today and going forward.
This is a complete guide for Apple’s iPadOS. Find out more about iPadOS 16, supported devices, release dates and key features with our cheat sheet.
Discover data intelligence solutions for big data processing and automation. Read more to explore your options.
Whether you are a Microsoft Excel beginner or an advanced user, you’ll benefit from these step-by-step tutorials.
This document helps make sure that you address data governance practices for an efficient, comprehensive approach to data management. This checklist from TechRepublic Premium includes: an introduction to data governance, a data governance checklist and how to manage a data governance checklist. From this checklist’s introduction: Data governance is the process by which an organization …
Recruiting a Scrum Master with the right combination of technical expertise and experience will require a comprehensive screening process. This hiring kit provides a customizable framework your business can use to find, recruit and ultimately hire the right person for the job. This hiring kit from TechRepublic Premium includes a job description, sample interview questions …
Knowing the terminology associated with Web 3.0 is going to be vital to every IT administrator, developer, network engineer, manager and decision maker in business. This quick glossary will introduce and explain concepts and terms vital to understanding Web 3.0 and the technology that drives and supports it.
While the perfect color palette or the most sublime button shading or myriad of other design features play an important role in any product’s success, user interface design is not enough. Customer engagement and retention requires a strategic plan that attempts to measure, quantify and ultimately create a complete satisfying user experience on both an …


Related Articles


Please enter your comment!
Please enter your name here

Latest Articles