Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

New Alchimist attack framework hits Windows, Linux and Mac
techrepublic ^ | 13 October 2022 | Cedric Pernet

Posted on 10/17/2022 11:33:45 AM PDT by ShadowAce

A standalone Command and Control (C2) server called “Alchimist” was recently discovered by Cisco Talos. The framework has been designed to run attacks via standalone GoLang-based executables that can be distributed easily. The framework found by Talos contains both the whole web user interface and the payloads.

GoLang-written framework

Go programming language, also known as GoLang, becomes increasingly popular for developers looking to compile their code on multiple different systems and architecture. As an example, we recently wrote about the Sliver offensive framework, fully written in Go. It is therefore no wonder that more cybercriminals are also adopting it.

Alchimist, whose name has been given by its developer, uses GoLang-based assets, which are custom-made embedded packages, to store all the resources needed for its operations as a C2 server. During initialization, all its content is placed in hard coded folders, namely /tmp/Res for the web interface, HTML files and more folders, and /tmp/Res/Payload for its payloads for Windows and Linux operating systems.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

A self-signed certificate without any server name is also dropped in the /tmp folder (Figure A), together with its key for use in HTTPS communications. That certificate could be found on five different IP addresses on the Internet at the time of the research, all of them used for Alchimist.

Figure A

Alchimist self-signed certificate without any server name. Image: Cisco Talos. Alchimist self-signed certificate without any server name.

The Web interface

The Alchimist framework user web interface is written in English and simplified Chinese languages (Figure B).

Figure BAlchimist web interface shows simplified Chinese language.Image: Cisco Talos. Alchimist web interface shows simplified Chinese language.

Most common features expected to handle Remote Administration Tool (RAT) malware are implemented in the interface, yet one stands out according to the researchers: The ability to generate PowerShell and wget code snippets for Windows and Linux systems. These commands might be embedded in malicious documents, LNK files or any other kind of files used for initial compromise, and download/install the additional payload provided by the framework: the Insekt RAT.

Several parameters are taken from the web user interface to generate the final payload. Those parameters are:

Once configured, the web interface sends a request to a URL of the current C2 server to request a new payload that is downloadable.

The Insekt payload

Insekt RAT is written in GoLang and compiled for Windows and Linux. The RAT provides the ability to get information about the operating system it runs on and file sizes information, sleep for predefined periods or upgrade itself.

In addition, it provides more aggressive functions such as providing a command-line cmd.exe to execute arbitrary commands. It also allows for executing commands as another user, executing shellcode, scanning IP addresses and ports, manipulating Secure Shell (SSH) keys, or enabling proxying. It is also able to enumerate files in a directory path.

The Linux version of Insekt also allows users to add new SSH keys to the authorized_Keys file, therefore allowing the attacker to communicate with the victimized machine over SSH.

Predefined sets of commands are also usable for the attacker’s ease, enabling faster interactions and avoiding typing mistakes.

MacOSX also targeted

Alongside Alchimist and Insekt, the researchers found tools for privilege elevation and exploitation on MacOSX platforms.

A Mach-O file found in the main folder allows to trigger an exploit for a privilege escalation vulnerability (CVE-2021-4034) on the pkexec utility, which is not installed on MacOSX by default. A bind shell backdoor is also available in that executable, to provide a remote shell to the threat actor.

More all-inclusive C2 frameworks probably to come and hit several different operating systems

More of such attack frameworks have been found lately. Manjusaka, a Chinese sibling of Sliver and Cobalt Strike, appeared in 2022, programmed in GoLang for its C2 part, while the payloads were made in Rust programming language. Rust, like GoLang, enables a developer to compile code on several different platforms very easily. It is expected to see more multiplatform frameworks written in Go and Rust programming languages.

The discovery of Alchimist stands as another indication that “threat actors are rapidly adopting off-the-shelf C2 frameworks to carry out their operations,” according to Cisco Talos.

The ease of use of such a framework will probably entice malware developers and threat actors to use more of those in the near future.

What can be done against this threat?

Security software should be deployed in order to detect the payloads and possible communications to Alchimist C2. The self-signed certificate used by the framework should raise immediate alerts when found in HTTPS communications.

Operating systems and software need to be kept up to date and patched, in order to avoid attackers using common vulnerabilities to compromise a system and get an initial foothold.

Multi-factor authentication also needs to be deployed for every internet-facing device or service, in order to avoid attacks using a single credential for access.


TOPICS: Computers/Internet
KEYWORDS: malware

1 posted on 10/17/2022 11:33:45 AM PDT by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; JosephW; martin_fierro; Still Thinking; zeugma; Vinnie; ironman; Egon; raybbr; AFreeBird; ...

2 posted on 10/17/2022 11:33:56 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
Security software should be deployed in order to detect the payloads and possible communications to Alchimist C2. The self-signed certificate used by the framework should raise immediate alerts when found in HTTPS communications. Operating systems and software need to be kept up to date and patched, in order to avoid attackers using common vulnerabilities to compromise a system and get an initial foothold.

Thanks Ace...

3 posted on 10/17/2022 11:43:21 AM PDT by GOPJ (Trump EARNED his money. Democrats steal theirs from taxpayers. It's why they hate Trump.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Hackers deserve summary execution.


4 posted on 10/17/2022 11:45:35 AM PDT by JimRed (TERM LIMITS, NOW! Militia to the border! TRUTH is the new HATE SPEECH.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: JimRed

SPJNK.


5 posted on 10/17/2022 12:20:01 PM PDT by Carriage Hill (A society grows great when old men plant trees, in whose shade they know they will never sit.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce

Thank you for the ping ;^)


6 posted on 10/17/2022 2:28:55 PM PDT by Bikkuri (I am proud to be a PureBlood.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

[[Security software should be deployed in order to detect the payloads and possible communications to Alchimist C2]]

What abotu for Linux? Any suggestions for security software?


7 posted on 10/17/2022 9:28:14 PM PDT by Bob434 (question)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bob434
Well, this is not a virus, so anti-virus would be less useful (clamav).

Keep your firewall running, run an IDS, such as Bro, OSSEC, or Snort, and don't click on unknown links coming into your e-mail box.

8 posted on 10/18/2022 4:08:43 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 7 | View Replies]

To: ShadowAce

Thanks shadowace- I do have the firewall, and stRicT no link or attachment policy for emails as others use the computer too, and they have learned not to click links u less they know the person and the ,ink is tO something expected like a youtube video or known shopping site or whatever.

I hadnt heard of the ids before, hnaks I will check those out.


9 posted on 10/18/2022 8:02:09 AM PDT by Bob434 (question)
[ Post Reply | Private Reply | To 8 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson