Alchemist And Insekt Malware Targeting Linux, Windows, And MacOS

Cisco Talos discovered a new attack framework including a command and control (C2) tool called “Alchimist” and a new malware “Insekt” with remote administration capabilities.
The Alchimist has a web interface in Simplified Chinese with remote administration features.
The attack framework is designed to target Windows, Linux and Mac machines.
Alchimist and Insekt binaries are implemented in GoLang.
This campaign consists of additional bespoke tools such as a MacOS exploitation tool, a custom backdoor and multiple off-the-shelf tools such as reverse proxies.
Cisco Talos has discovered a new single-file command and control (C2) framework the authors call “Alchimist [sic].” Talos researchers found this C2 on a server that had a file listing active on the root directory along with a set of post-exploitation tools.

Cisco Talos assesses with moderate-high confidence that this framework is being used in the wild.

“Alchimist” is a 64-bit Linux executable written in GoLang and packed with assets including resources for the web interface and Insekt RAT payloads compiled for Windows and Linux.

Insekt RAT, a new trojan Cisco Talos discovered, is Alchimist’s beacon implant written in GoLang and has a variety of remote access capabilities that can be instrumented by the Alchimist C2 server.

Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands.

Among the remaining tools, Cisco Talos found a Mach-O dropper embedded with an exploit to target a known vulnerability CVE-2021-4034, a privilege escalation issue in polkit’s pkexec utility, and a Mach-O bind shell backdoor. The Qualys Research Team discovered CVE-2021-4034 in November 2021, and in January 2022, the U.S.’s National Security Agency Cybersecurity Director warned that the vulnerability was being exploited in the wild.

The server also contained dual-use tools like psexec and netcat, along with a scanning tool called “fscan,” which the author defines as an “intranet scanning tool,” essentially all the necessary tools for lateral movement.

Sign Up For Threat Alerts

Loading...
Threats Icon

Mar 21, 2023

Dotrunpex – Demystifying new virtualized .net injector...

DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used...

Threats Icon

Mar 21, 2023

GlobeImposter Ransomware With MedusaLocker Spreading Via RDP

A GlobeImposter ransomware campaign was discovered being carried out by the attackers behind MedusaLocker. The...

Threats Icon

Mar 20, 2023

Common credential stealers

FortiGuard Threat Research has observed an increasing threat arising from credential stealers. The most common...

Threats Icon

Mar 20, 2023

Sirattacker And ALC Ransomware Analysis

The Sirattacker and ALC ransomware families continue to gain traction and compromise Microsoft Windows devices....

Threats Icon

Mar 19, 2023

Google Advertising Used To Distribute RedLine Stealer

A malvertising campaign was discovered mimicking websites belonging to well-known software such as Notepad++ and...

Threats Icon

Mar 16, 2023

Microsoft Outlook Elevation of Privilege Vulnerability Exploit

Microsoft has posted a security vulnerability CVE-2023-23397, exploiting it allows attackers to gain elevated privileges...

Threats Icon

Mar 16, 2023

ImBetter Information Stealer Targets Cryptocurrency Users

Threat actors are targeting cryptocurrency users with the ImBetter information stealer malware. Adversaries are hosting...

Threats Icon

Mar 16, 2023

ImBetter Information Stealer Targets Cryptocurrency Users

Threat actors are targeting cryptocurrency users with the ImBetter information stealer malware. Adversaries are hosting...

Threats Icon

Mar 15, 2023

US Cert Alert – Threat Actors Exploit...

CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully...

Threats Icon

Mar 15, 2023

Threat Actors Use ParallaxRAT For Targeting Cryptocurrency...

Threat actors are targeting organization in the cryptocurrency sector with spam and phishing campaigns that...

Threats Icon

Mar 13, 2023

Exposing The Lazarus Arsenal WinorDLL64 Backdoor

In 2021 the researchers discovered and dissected a tool from the Lazarus APTs arsenal named...

Threats Icon

Mar 12, 2023

Clasiopa New Group Targets Materials Research

A campaign targeting the materials research sector with custom and commodity utilities and malware is...

Threats Icon

Mar 09, 2023

New Emotet campaign

Emotet is a type of malware that is designed to steal sensitive information from infected...

Threats Icon

Mar 09, 2023

How sys01 stealer will get your sensitive...

Morphisec has been tracking an advanced info stealer Analysts have named "SYS01 stealer." SYS01 stealer...

Threats Icon

Mar 09, 2023

How sys01 stealer will get your sensitive...

Morphisec has been tracking an advanced info stealer Analysts have named "SYS01 stealer." SYS01 stealer...