Researchers have uncovered a potentially dangerous cyberattack framework targeting Windows, Linux, and Mac systems that they assess is likely already being used in the wild.
The framework consists of a new, stand-alone, command-and-control (C2) tool dubbed “Alchimist,” a previously unseen remote access Trojan (RAT) called “Insekt,” and several bespoke tools like a custom backdoor and malware for exploiting vulnerabilities in macOS. It also includes reverse proxies and several dual-use tools such as netcat, psexec, and an intranet-scanning tool called fscan.
“Alchimist is a new C2 framework that can be rapidly deployed and operated with relatively low technical expertise by a threat actor,” says Nick Biasini, head of outreach at Cisco Talos.
A Cobalt Strike Alternative?
Researchers from Cisco Talos who discovered the attack framework described Alchimist as another example of threat actors trying to develop alternatives to popular post-exploit tools such as Cobalt Strike and, more recently, Sliver.
“The emergence of such frameworks in the wild suggests that threat actors are actively trying to develop alternative solutions to popular attack frameworks … whose increasing popularity has led to rigorous detection efforts,” Biasini says.
In a blog post on Oct. 13, Cisco Talos described Alchimist as a 64-bit Linux executable written in GoLang with a Web interface written in Simplified Chinese, the official written script for mainland China. The Insekt RAT, Alchimist’s primary implant, is also implemented in GoLang. The malware features several remotely accessible capabilities that allow it to be customized via the C2 server.
“[Alchimist] can generate a configured payload, establish remote sessions, deploy payloads to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands,” the report noted. Giving it those capabilities are a variety of malware tools, including a Mach-0 backdoor for macOS and a separate macOS malware dropper that exploits a known vulnerability in a root program associated with major Linux distributions (CVE-2021-4034).
Of note, the Insekt RAT implants that Alchimist generates features a wide range of capabilities that essentially makes it a Swiss Army knife for the attackers on the infected system, Biasini says.
A campaign utilizing the attack framework has been active since at least January.
“Although Talos does not have information on the precise targeting intended in this campaign, the intention of the attacks is to compromise and establish long-term access into victim environments,” Biasini says.
Cisco Talos has compared the Alchimist framework with another attack framework it discovered recently, dubbed Manjusaka. In a report in August, the company described Manjusaka as a Chinese sibling of Cobalt Strike and Sliver that a threat actor was actively using in a campaign involving COVID-19 and China-themed lure documents.
Both Alchimist and Manjusaka are stand-alone, single-file-based C2 frameworks with similar design philosophies but different implementations. Both come ready to use with no installation required, and both can patch and generate implants such as the Insekt RAT on the fly, Cisco Talos said.
One feature of the new C2 that the company highlighted as being notable is its ability to generate PowerShell and wget code snippets for Windows and Linux.
The snippets give threat actors the ability to create an infection vector for Insekt RAT without having to author custom code or utilize additional tools, Biasini says. Attackers can simply add the PowerShell/wget code to a delivery vector such as a malicious document’s VBA Macro or to a malicious shortcut file and then distribute it to victims for infection.
“This offering may be an attempt by the authors to provide bonus features in the C2 framework and make it more enticing to threat actors,” he notes.