A new attack framework, complete with both a command and control (C2) tool and a remote access trojan (RAT), has been discovered in the wild, according to researchers at Cisco Talos. The C2 tool, dubbed Alchimist, and the RAT, Insekt, were found by Talos researchers on a web server which had file listing active on the root directory alongside a set of post-exploitation tools.
Both Alchimist and Insekt are written in GoLang, allowing for threat actors to create payloads to target different operating systems with ease. The Alchimist C2 tool has a web interface written in Simplified Chinese and supports a number of different commands, including the ability to generate a configured payload, establish remote sessions, deploy payloads to remote machines, capture screenshots, perform remote shellcode execution, and run arbitrary commands on the infected system. Alchimist is very similar to a recently discovered post-exploitation attack framework called Manjusaka, supporting virtually the same set of features and following the same design philosophy. However, due to some differences between the two, it is not believed that they are written by the same threat actor.
Insekt, the RAT implant used alongside Alchimist, supports common RAT functionality such as obtaining operating system information, running arbitrary commands via the command shell, taking screenshots, port and IP scanning, and shellcode execution. Upon execution, Insekt checks internet connectivity, connecting to common websites like google.com or github.com to confirm access. The Linux variant of Insekt also supports listing the contents of the .ssh directory and adding new SSH keys to the authorized_keys file, allowing the threat actor to communicate with the infected system via SSH.
The additional files found alongside the Alchimist and Insekt payloads include a macOS backdoor that exploits the pkexec vulnerability, CVE-2021-4034, to escalate privileges on the system, a script used as a first stage infection payload to drop the main Insekt payload, and a Metasploit meterpreter shellcode file. It is believed that this framework is actively being used in the wild.
Analyst Notes
It is highly recommended to maintain good network security controls within an environment, as this can help detect and prevent malicious traffic routing between the implant and the remote C2 server. It is also recommended to implement and maintain good endpoint security controls, such as an EDR, on all systems in an environment. EDRs can not only help prevent malicious payloads or behaviors from executing but can also alert upon them as well. There are numerous behaviors exhibited by the Insekt payload that allow for the capability to detect it running on an infected system. These behaviors include commands being executed abnormally using a “cmd.exe /c” execution, suspicious process injection techniques used to execute shellcode, adding new SSH keys to a Linux system in an unauthorized manner, suspicious network beaconing activity, and the use of common reconnaissance or defense evasion commands such as “net.exe” or “netsh.exe.” The first stage infection payload found alongside the Alchimist and Insekt payloads also exhibits abnormal behavior that would be detectable. In this case, it utilizes a scriptlet file to execute a wscript payload that in turn runs a PowerShell command to retrieve the Insekt payload. This process chain would be considered suspicious, allowing for the capability of detecting a potential infection as it occurs. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
https://www.bleepingcomputer.com/news/security/new-alchimist-attack-framework-targets-windows-macos-linux/
https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html
