by D. Howard Kass • Oct 17, 2022
Cybersecurity researchers have discovered a new attack and C2 framework the hackers are calling “Alchimist,” which appears to be actively used in attacks on Windows, macOS and Linux systems.
Alchimist is a 64-bit Linux executable written in GoLang (Go) and uses a web interface in Simplified Chinese. The package contains custom-built tools, such as a MacOS exploitation tool, a backdoor and off-the shelf tools such as reverse proxies, Talos said in a blog post. The bug can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands.
In some ways it’s similar to Manjusaka, a recently emerged post-exploitation attack framework growing popular among Chinese hackers. Both follow the same design framework and have similar features.
Managed security service providers (MSSP) should take note of the Alchimist and Manjusaka campaigns as each gains steam.
The attackers are also using malware dubbed Insekt, a new remote access trojan (RAT) also discovered by Talos written in Go that packs a variety of remote access capabilities that can be leveraged by the Alchimist C2 server.
Alchimist is another attack framework available to unsophisticated attackers lacking the resources to build their own components to launch a multi-faceted attack, Talos suggested. At the same time, even sophisticated gangs can make use of the framework as a secondary tool.
Here’s what Talos had to say on the subject:
“Our discovery of Alchimist is yet another indication that threat actors are rapidly adopting off-the-shelf C2 frameworks to carry out their operations. A threat actor gaining privileged shell access on a victim’s machine is like having a Swiss Army knife, enabling the execution of arbitrary commands or shellcodes in the victim’s environment, resulting in significant effects on the target organization.”
Endpoint security teams should take the following steps to defend against a Alchimist attack:
Your email address will not be published.