Headline
Feature-Rich 'Alchimist' Cyberattack Framework Targets Windows, Mac, Linux Environments
The comprehensive, multiplatform framework comes loaded with weapons, and it is likely another effort by a China-based threat group to develop an alternative to Cobalt Strike and Sliver.
Researchers have uncovered a potentially dangerous cyberattack framework targeting Windows, Linux, and Mac systems that they assess is likely already being used in the wild.
The framework consists of a new, stand-alone, command-and-control (C2) tool dubbed “Alchimist,” a previously unseen remote access Trojan (RAT) called “Insekt,” and several bespoke tools like a custom backdoor and malware for exploiting vulnerabilities in macOS. It also includes reverse proxies and several dual-use tools such as netcat, psexec, and an intranet-scanning tool called fscan.
“Alchimist is a new C2 framework that can be rapidly deployed and operated with relatively low technical expertise by a threat actor,” says Nick Biasini, head of outreach at Cisco Talos.
A Cobalt Strike Alternative?
Researchers from Cisco Talos who discovered the attack framework described Alchimist as another example of threat actors trying to develop alternatives to popular post-exploit tools such as Cobalt Strike and, more recently, Sliver.
“The emergence of such frameworks in the wild suggests that threat actors are actively trying to develop alternative solutions to popular attack frameworks … whose increasing popularity has led to rigorous detection efforts,” Biasini says.
In a blog post on Oct. 13, Cisco Talos described Alchimist as a 64-bit Linux executable written in GoLang with a Web interface written in Simplified Chinese, the official written script for mainland China. The Insekt RAT, Alchimist’s primary implant, is also implemented in GoLang. The malware features several remotely accessible capabilities that allow it to be customized via the C2 server.
"[Alchimist] can generate a configured payload, establish remote sessions, deploy payloads to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands," the report noted. Giving it those capabilities are a variety of malware tools, including a Mach-0 backdoor for macOS and a separate macOS malware dropper that exploits a known vulnerability in a root program associated with major Linux distributions (CVE-2021-4034).
Of note, the Insekt RAT implants that Alchimist generates features a wide range of capabilities that essentially makes it a Swiss Army knife for the attackers on the infected system, Biasini says.
A campaign utilizing the attack framework has been active since at least January.
“Although Talos does not have information on the precise targeting intended in this campaign, the intention of the attacks is to compromise and establish long-term access into victim environments,” Biasini says.
Stand-Alone Frameworks
Cisco Talos has compared the Alchimist framework with another attack framework it discovered recently, dubbed Manjusaka. In a report in August, the company described Manjusaka as a Chinese sibling of Cobalt Strike and Sliver that a threat actor was actively using in a campaign involving COVID-19 and China-themed lure documents.
Both Alchimist and Manjusaka are stand-alone, single-file-based C2 frameworks with similar design philosophies but different implementations. Both come ready to use with no installation required, and both can patch and generate implants such as the Insekt RAT on the fly, Cisco Talos said.
One feature of the new C2 that the company highlighted as being notable is its ability to generate PowerShell and wget code snippets for Windows and Linux.
The snippets give threat actors the ability to create an infection vector for Insekt RAT without having to author custom code or utilize additional tools, Biasini says. Attackers can simply add the PowerShell/wget code to a delivery vector such as a malicious document’s VBA Macro or to a malicious shortcut file and then distribute it to victims for infection.
“This offering may be an attempt by the authors to provide bonus features in the C2 framework and make it more enticing to threat actors,” he notes.
Related news
The threat actor behind a peer-to-peer (P2P) botnet known as FritzFrog has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network. "The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible," web infrastructure and security
A new, financially motivated operation dubbed LABRAT has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign. "The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command-and-control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence," Sysdig
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.
By Deeba Ahmed Alchimist is a single-file C2 framework discovered on a server hosting an active file listing on the root directory and a set of post-exploitation tools. This is a post from HackRead.com Read the original post: Linux, Windows and macOS Hit By New “Alchimist” Attack Framework
By Chetan Raghuprasad, Asheer Malhotra and Vitor Ventura, with contributions from Matt Thaxton. Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities. The Alchimist has a web interface in Simplified Chinese with remote administration features. The attack framework is designed to target Windows, Linux and Mac machines. Alchimist and Insekt binaries are implemented in GoLang. This campaign consists of additional bespoke tools such as a MacOS exploitation tool, a custom backdoor and multiple off-the-shelf tools such as reverse proxies. Cisco Talos has discovered a new single-file command and control (C2) framework the authors call "Alchimist [sic]." Talos researchers found this C2 on a server that had a file listing active on the root directory along with a set of post-exploitation tools. Cisco Talos assesses with moderate-high confidence that this framework is being...
Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities.
A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations. "If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment
Categories: News Categories: Threats Researchers from the AT&T Alien Labs Resarch have discovered a stealthy new Linux malware. (Read more...) The post Evasive Shikitega Linux malware drops Monero cryptominer appeared first on Malwarebytes Labs.
The Shikitega malware takes over IoT and endpoint devices, exploits vulnerabilities, uses advanced encoding, abuses cloud services for C2, installs a cryptominer, and allows full remote control.
A new piece of stealthy Linux malware called Shikitega has been uncovered adopting a multi-stage infection chain to compromise endpoints and IoT devices and deposit additional payloads. "An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist," AT&T Alien Labs said in a new report published Tuesday. The findings add to a
An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x before 6.7.1376. Because Gateway API functions mishandle authentication, an authenticated VPN user can inject arbitrary commands.
Ravie Lakshmanan's recent article CISA warns of active exploitation of 'PwnKit' Linux vulnerability in the wild articulates the vulnerability in Polkit (CVE-2021-4034) and recommends "to mitigate any potential risk of exposure to cyberattacks… that organizations prioritize timely remediation of the issues," while "federal civilian executive branch agencies, however, are required to mandatorily patch the flaws by July 18
Hello everyone! In this episode, I will try to revive Security News with a focus on Vulnerability Management. On the one hand, creating such reviews requires free time, which could be spent more wisely, for example, on open source projects or original research. On the other hand, there are arguments in favor of news reviews. […]
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed PwnKit to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an