Image: Cisco Talos. Alchimist self-signed certificate without any server name. Posted on 10/17/2022 11:33:45 AM PDT by ShadowAce
A standalone Command and Control (C2) server called “Alchimist” was recently discovered by Cisco Talos. The framework has been designed to run attacks via standalone GoLang-based executables that can be distributed easily. The framework found by Talos contains both the whole web user interface and the payloads.
Go programming language, also known as GoLang, becomes increasingly popular for developers looking to compile their code on multiple different systems and architecture. As an example, we recently wrote about the Sliver offensive framework, fully written in Go. It is therefore no wonder that more cybercriminals are also adopting it.
Alchimist, whose name has been given by its developer, uses GoLang-based assets, which are custom-made embedded packages, to store all the resources needed for its operations as a C2 server. During initialization, all its content is placed in hard coded folders, namely /tmp/Res for the web interface, HTML files and more folders, and /tmp/Res/Payload for its payloads for Windows and Linux operating systems.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
A self-signed certificate without any server name is also dropped in the /tmp folder (Figure A), together with its key for use in HTTPS communications. That certificate could be found on five different IP addresses on the Internet at the time of the research, all of them used for Alchimist.
Figure A
Image: Cisco Talos. Alchimist self-signed certificate without any server name.
The Alchimist framework user web interface is written in English and simplified Chinese languages (Figure B).
Figure B
Image: Cisco Talos. Alchimist web interface shows simplified Chinese language.
Most common features expected to handle Remote Administration Tool (RAT) malware are implemented in the interface, yet one stands out according to the researchers: The ability to generate PowerShell and wget code snippets for Windows and Linux systems. These commands might be embedded in malicious documents, LNK files or any other kind of files used for initial compromise, and download/install the additional payload provided by the framework: the Insekt RAT.
Several parameters are taken from the web user interface to generate the final payload. Those parameters are:
Once configured, the web interface sends a request to a URL of the current C2 server to request a new payload that is downloadable.
Insekt RAT is written in GoLang and compiled for Windows and Linux. The RAT provides the ability to get information about the operating system it runs on and file sizes information, sleep for predefined periods or upgrade itself.
In addition, it provides more aggressive functions such as providing a command-line cmd.exe to execute arbitrary commands. It also allows for executing commands as another user, executing shellcode, scanning IP addresses and ports, manipulating Secure Shell (SSH) keys, or enabling proxying. It is also able to enumerate files in a directory path.
The Linux version of Insekt also allows users to add new SSH keys to the authorized_Keys file, therefore allowing the attacker to communicate with the victimized machine over SSH.
Predefined sets of commands are also usable for the attacker’s ease, enabling faster interactions and avoiding typing mistakes.
Alongside Alchimist and Insekt, the researchers found tools for privilege elevation and exploitation on MacOSX platforms.
A Mach-O file found in the main folder allows to trigger an exploit for a privilege escalation vulnerability (CVE-2021-4034) on the pkexec utility, which is not installed on MacOSX by default. A bind shell backdoor is also available in that executable, to provide a remote shell to the threat actor.
More of such attack frameworks have been found lately. Manjusaka, a Chinese sibling of Sliver and Cobalt Strike, appeared in 2022, programmed in GoLang for its C2 part, while the payloads were made in Rust programming language. Rust, like GoLang, enables a developer to compile code on several different platforms very easily. It is expected to see more multiplatform frameworks written in Go and Rust programming languages.
The discovery of Alchimist stands as another indication that “threat actors are rapidly adopting off-the-shelf C2 frameworks to carry out their operations,” according to Cisco Talos.
The ease of use of such a framework will probably entice malware developers and threat actors to use more of those in the near future.
Security software should be deployed in order to detect the payloads and possible communications to Alchimist C2. The self-signed certificate used by the framework should raise immediate alerts when found in HTTPS communications.
Operating systems and software need to be kept up to date and patched, in order to avoid attackers using common vulnerabilities to compromise a system and get an initial foothold.
Multi-factor authentication also needs to be deployed for every internet-facing device or service, in order to avoid attacks using a single credential for access.
Thanks Ace...
Hackers deserve summary execution.
SPJNK.
Thank you for the ping ;^)
[[Security software should be deployed in order to detect the payloads and possible communications to Alchimist C2]]
What abotu for Linux? Any suggestions for security software?
Keep your firewall running, run an IDS, such as Bro, OSSEC, or Snort, and don't click on unknown links coming into your e-mail box.
Thanks shadowace- I do have the firewall, and stRicT no link or attachment policy for emails as others use the computer too, and they have learned not to click links u less they know the person and the ,ink is tO something expected like a youtube video or known shopping site or whatever.
I hadnt heard of the ids before, hnaks I will check those out.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.