Headline
Linux, Windows and macOS Hit By New “Alchimist” Attack Framework
By Deeba Ahmed Alchimist is a single-file C2 framework discovered on a server hosting an active file listing on the root directory and a set of post-exploitation tools. This is a post from HackRead.com Read the original post: Linux, Windows and macOS Hit By New “Alchimist” Attack Framework
Security researchers at Cisco Talos have shared startling details of a newly discovered, feature-rich attack framework that targets Windows, macOS, and Linux systems with a remote access trojan (RAT).
It has been dubbed the Alchimist attack framework, and researchers are moderately confident that this framework is used in the wild.
Findings Details
According to a Cisco Talos report authored by Chetan Raghuprasad, Asheer Malhotra, Vitor Ventura, and Matt Thaxton, Alchimist is a single-file C2 framework discovered on a server hosting an active file listing on the root directory and a set of post-exploitation tools. It is implemented in GoLang and implants the Insekt RAT on the compromised systems.
“Alchimist is a new C2 framework that can be rapidly deployed and operated with relatively low technical expertise by a threat actor.”
Nick Biasini – Head of Outreach at Cisco Talos
It stores resources to function as a C&C server in GoLang-based assets and lets adversaries generate wget and PowerShell code snippets targeting MS Windows and Linux. When it creates malicious payloads, the user can provide parameters to specify the preferred protocol, URL, or C&C IP to target OS or run the Insekt implant as a predomain value and daemon for the SNI protocol.
Alchimist Capabilities
According to Cisco Talos’ blog post, Alchimist is a 64-bit Linux executable offering a web interface in simplified Chinese to let its operators execute code on the infected devices, capture screenshots, create remote connections, generate/deploy malicious payloads, and perform a variety of different functions.
Once initialized, the Insekt implant performs seven main functions- obtaining file size and OS info, running commands through the command prompt, running commands as a different user, upgrading the implant, initiating sleep mode for various periods, etc.
Other post-exploitation tools researchers identified include a custom backdoor, a reverse proxy that targeted macOS (frp), psexec, fscan, netcat, and similar off-the-shelf tools. They also detected a Mach-O dropper, which contained an exploit for a privilege escalation vulnerability tracked as CVE-2021-4034 and found in Polkit’s Pkexec utility and Mach-O bind shell backdoor.
Furthermore, the RAT checks the system’s internet connectivity, performs port IP scanning and SSH manipulation, lists .ssh directory on Linux, and executes arbitrary commands on the operating system’s Shell.
Similarity with Manjusaka
Cisco researchers observed strong similarities between Alchimist and another recently detected self-contained attack framework dubbed Manjusaka. Researchers noted that although their features are identical, their implementation methods differ.
Another difference is the use of unusual protocol SNI in Alchimist. Both frameworks are designed/implemented to work as standalone GoLang-based executables. In both cases, the implant configuration is defined through the web UI written in Simplified Chinese.
Researchers described Alchimist as the latest proof of threat actors’ evolving urge to create alternatives to standard post-exploitation tools like Sliver and Cobalt Strike.
- New DDoS Malware ‘Chaos’ Hits Linux and Windows Devices
- Windows, Linux and macOS Users Hit by Chinese APT Group
- ElectroRat crypto malware hits macOS, Windows, Linux devices
- Multi-platform SysJoker backdoor Hits Windows, macOS & Linux
- CrossRAT keylogging malware targets Linux, macOS & Windows PCs
Related news
The threat actor behind a peer-to-peer (P2P) botnet known as FritzFrog has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network. "The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible," web infrastructure and security
A new, financially motivated operation dubbed LABRAT has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign. "The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command-and-control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence," Sysdig
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems. That's according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident No Pineapple. Targets of the malicious operation included a healthcare research organization
Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.
The comprehensive, multiplatform framework comes loaded with weapons, and it is likely another effort by a China-based threat group to develop an alternative to Cobalt Strike and Sliver.
A previously undocumented command-and-control (C2) framework dubbed Alchimist is likely being used in the wild to target Windows, macOS, and Linux systems. "Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution, and run
Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities.
By Deeba Ahmed The stealthy malware leverages security flaws to gain privilege escalation and establish persistence. This is a post from HackRead.com Read the original post: Stealthy Linux Malware Shikitega Deploying Monero Cryptominer
Categories: News Categories: Threats Researchers from the AT&T Alien Labs Resarch have discovered a stealthy new Linux malware. (Read more...) The post Evasive Shikitega Linux malware drops Monero cryptominer appeared first on Malwarebytes Labs.
The Shikitega malware takes over IoT and endpoint devices, exploits vulnerabilities, uses advanced encoding, abuses cloud services for C2, installs a cryptominer, and allows full remote control.
A new piece of stealthy Linux malware called Shikitega has been uncovered adopting a multi-stage infection chain to compromise endpoints and IoT devices and deposit additional payloads. "An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist," AT&T Alien Labs said in a new report published Tuesday. The findings add to a
PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.
An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x before 6.7.1376. Because Gateway API functions mishandle authentication, an authenticated VPN user can inject arbitrary commands.
Ravie Lakshmanan's recent article CISA warns of active exploitation of 'PwnKit' Linux vulnerability in the wild articulates the vulnerability in Polkit (CVE-2021-4034) and recommends "to mitigate any potential risk of exposure to cyberattacks… that organizations prioritize timely remediation of the issues," while "federal civilian executive branch agencies, however, are required to mandatorily patch the flaws by July 18
Security considerations are even more important today than they were in the past. Every day we discover new vulnerabilities that impact our computer systems, and every day our computer systems become more complex. With the deluge of vulnerabilities that threaten to swamp our security teams, the question, "How much does it matter?" comes quickly to our minds. This question, "Does it matter?", has two parts:
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.