A new attack framework, complete with both a command and control (C2) tool and a remote access trojan (RAT), has been discovered in the wild, according to researchers at Cisco Talos. The C2 tool, dubbed Alchimist, and the RAT, Insekt, were found by Talos researchers on a web server which had file listing active on the root directory alongside a set of post-exploitation tools.
Both Alchimist and Insekt are written in GoLang, allowing for threat actors to create payloads to target different operating systems with ease. The Alchimist C2 tool has a web interface written in Simplified Chinese and supports a number of different commands, including the ability to generate a configured payload, establish remote sessions, deploy payloads to remote machines, capture screenshots, perform remote shellcode execution, and run arbitrary commands on the infected system. Alchimist is very similar to a recently discovered post-exploitation attack framework called Manjusaka, supporting virtually the same set of features and following the same design philosophy. However, due to some differences between the two, it is not believed that they are written by the same threat actor.
Insekt, the RAT implant used alongside Alchimist, supports common RAT functionality such as obtaining operating system information, running arbitrary commands via the command shell, taking screenshots, port and IP scanning, and shellcode execution. Upon execution, Insekt checks internet connectivity, connecting to common websites like google.com or github.com to confirm access. The Linux variant of Insekt also supports listing the contents of the .ssh directory and adding new SSH keys to the authorized_keys file, allowing the threat actor to communicate with the infected system via SSH.
The additional files found alongside the Alchimist and Insekt payloads include a macOS backdoor that exploits the pkexec vulnerability, CVE-2021-4034, to escalate privileges on the system, a script used as a first stage infection payload to drop the main Insekt payload, and a Metasploit meterpreter shellcode file. It is believed that this framework is actively being used in the wild.