Updated on 2022-10-15
Researchers at Cisco Talos Intelligence have detected a new command-and-control framework, Alchimist [sic], which is designed to target machines running Windows, Linux, and macOS. Talos researchers also discovered an associated remote-access trojan (RAT) called Insekt. “Cisco Talos assesses with moderate-high confidence that this framework is being used in the wild.”
Note
- Kudos to Talos as this is the second C2 they identify in the wild. We have added them to the C2 Matrix which now tracking 110 C2s: https://www.thec2matrix.com/
- The Alchimist C2 servers pass instructions to the Insekt implant to execute them on Windows and Linux systems. macOS systems must have a previously installed Mach-O file contains the exploit for CVE-2021-4034 (Polkit’s pkexec utility), noted the flawed version must pre-exist for the exploit to work. Alchemist is intended as an all-in-one attack framework which avoids detection, is high-quality, rich in features and is good for dropping implants on targets. These frameworks also make it easier for attackers to hide by blending in with other malicious traffic avoiding specific attribution.
Read more in
- Alchimist: A new attack framework in Chinese for Mac, Linux and Windows
- New Alchemist attack framework targets Windows, macOS, Linux
- New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems
Updated on 2022-10-14
Cisco Talos researchers published a report this week on Alchimist and Insekt, a new C&C framework and RAT, respectively, both of which have been spotted being deployed in attacks in the wild. Talos researchers said both tools are written in the Go programming language, Alchimist has a Chinese web interface, and Insekt has cross-platform capabilities, being able to infect Windows, Linux, and Mac machines alike.
Updated on 2022-10-13
Cisco Talos has discovered a new single-file command and control (C2) framework the authors call “Alchimist [sic].” Talos researchers found this C2 on a server that had a file listing active on the root directory along with a set of post-exploitation tools. Talos assesses with moderate-high confidence that this framework is being used in the wild. “Alchimist” is a 64-bit Linux executable written in GoLang and packed with assets including resources for the web interface and Insekt RAT payloads compiled for Windows and Linux. Insekt RAT, a new trojan Cisco Talos discovered, is Alchimist’s beacon implant written in GoLang and has a variety of remote access capabilities that can be instrumented by the Alchimist C2 server. Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands.
ClamAV signatures:
- Osx.Exploit.CVE_2021_4034-9951522-2
- Unix.Exploit.CVE_2021_4034-9951523-0
- Unix.Exploit.CVE_2021_4034-9951524-0
- Unix.Exploit.CVE_2021_4034-9951525-0
- Unix.Exploit.CVE_2021_4034-9951526-0
- Unix.Malware.Insekt-9955436-0
- Win.Malware.Insekt-9955440-0
- Unix.Malware.Alchimist-9955784-0
- Multios.Malware.Insekt-9961177-0
Overview
A new attack and C2 framework, dubbed Alchimist, was found capable of targeting Linux, macOS, and Windows systems. It can run arbitrary commands and perform remote shellcode execution. Read more: Alchimist: A new attack framework in Chinese for Mac, Linux and Windows
