Cybersecurity researchers have discovered a new attack and C2 framework the hackers are calling "Alchimist," which appears to be actively used in attacks on Windows, macOS and Linux systems.
What is Alchimist?
Alchimist is a 64-bit Linux executable written in GoLang (Go) and uses a web interface in Simplified Chinese. The package contains custom-built tools, such as a MacOS exploitation tool, a backdoor and off-the shelf tools such as reverse proxies, Talos said in a blog post. The bug can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands.
In some ways it’s similar to Manjusaka, a recently emerged post-exploitation attack framework growing popular among Chinese hackers. Both follow the same design framework and have similar features.
Managed security service providers (MSSP) should take note of the Alchimist and Manjusaka campaigns as each gains steam.
The attackers are also using malware dubbed Insekt, a new remote access trojan (RAT) also discovered by Talos written in Go that packs a variety of remote access capabilities that can be leveraged by the Alchimist C2 server.
Alchimist is another attack framework available to unsophisticated attackers lacking the resources to build their own components to launch a multi-faceted attack, Talos suggested. At the same time, even sophisticated gangs can make use of the framework as a secondary tool.
Here's what Talos had to say on the subject:
“Our discovery of Alchimist is yet another indication that threat actors are rapidly adopting off-the-shelf C2 frameworks to carry out their operations. A threat actor gaining privileged shell access on a victim's machine is like having a Swiss Army knife, enabling the execution of arbitrary commands or shellcodes in the victim's environment, resulting in significant effects on the target organization.”
Steps to Protect Against Alchimist
Endpoint security teams should take the following steps to defend against a Alchimist attack:
- Implement layered security defense.
- Be constantly vigilant in monitoring the privileged operations in their environments and detect any unauthorized programs attempting to gain root privileges.
- Network security teams should be looking for any unusual traffic to their organizations' environment and be cautious about suspicious artifacts downloaded to their network.
- Having controlled download and file execution policies on the endpoints and servers can effectively protect organizational assets from threats.