A new attack and C2 framework called “Alchimist” was discovered recently by cybersecurity researchers having actively targeted Windows, Linux, and macOS systems. The framework and all of its files are 64-bit executables created in the programming language GoLang, which greatly facilitates cross-compatibility between various operating systems.
How Alchimist Works?
Alchimist provides its operators with an easy-to-use framework that enables them to generate and configure payloads placed on infected devices to perform several actions, such as taking screenshots remotely, running arbitrary commands, and performing remote shellcode execution.
The framework allows attackers to build custom infection mechanisms for dropping the “Insekt” remote access trojan (RAT) on devices. It also helps hackers by generating PowerShell (used for Windows) and wget (used for Linux) code snippets for the deployment of the remote access trojan.
On the Alchimist interface, the Insekt payload can be customized by changing several settings, including the C2 IP/URL, platform (Windows or Linux), communication protocol (TLS, SNI, WSS/WS), and whether or not the payload will operate as a daemon. The self-signed certificate generated during compilation is located at the C2 address, which is hard-coded to the implant that was developed. The C2 is ping-ed 10 times per second, and if no connection can be made after that, the virus tries again in an hour.
How the Insekt RAT Operates
Even if the Alchimist C2 servers might deliver commands to execute, the Insekt implant is the one responsible for carrying them out on infected systems. The RAT can perform several actions such as:
- Get file sizes.
- Get OS information.
- Run arbitrary commands via cmd.exe or bash.
- Upgrade the current Insekt implant.
- Run arbitrary commands as a different user.
- Sleep for periods defined by the C2.
- Start/stop taking screenshots.
Besides the functions mentioned previously, Insekt can serve as a proxy by using SOCKS5, manipulating SSH keys, performing port and IP scans, writing or unzipping files to the disk, and executing shellcode on the host. Operators of Alchimist can also send pre-determined commands to the infected machines.
Attacks on macOS
As Insekt does not work on macOS yet, the threat actors cover devices with this OS via a Mach-O file, which is a 64-bit executable written in GoLand that contains an exploit for CVE-2021-4034.
This is a privilege escalation weakness in Polkit’s pkexec utility, but the framework won’t inject it into the target, thus attackers must install the tool on the target computer for the attack to succeed. The same exploit is used for Linus OS too, as long as pkexec is installed on the system.
According to BleepingComputer, Alchimist is an attack framework available for cybercriminals who don’t have the knowledge or capacity to build the components required for sophisticated cyberattacks. These ready-made frameworks are of high quality, with a large array of features that is also good at evading detection. The framework can be beneficial even for more advanced threat actors who want to minimize the expenses of their operations and blend with random malicious traffic of other hackers to evade attribution.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.