Cisco Talos discovered a new attack framework including a command and control (C2) tool called “Alchimist” and a new malware “Insekt” with remote administration capabilities.
The Alchimist has a web interface in Simplified Chinese with remote administration features.
The attack framework is designed to target Windows, Linux and Mac machines.
Alchimist and Insekt binaries are implemented in GoLang.
This campaign consists of additional bespoke tools such as a MacOS exploitation tool, a custom backdoor and multiple off-the-shelf tools such as reverse proxies.
Cisco Talos has discovered a new single-file command and control (C2) framework the authors call “Alchimist [sic].” Talos researchers found this C2 on a server that had a file listing active on the root directory along with a set of post-exploitation tools.
Cisco Talos assesses with moderate-high confidence that this framework is being used in the wild.
“Alchimist” is a 64-bit Linux executable written in GoLang and packed with assets including resources for the web interface and Insekt RAT payloads compiled for Windows and Linux.
Insekt RAT, a new trojan Cisco Talos discovered, is Alchimist’s beacon implant written in GoLang and has a variety of remote access capabilities that can be instrumented by the Alchimist C2 server.
Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands.
Among the remaining tools, Cisco Talos found a Mach-O dropper embedded with an exploit to target a known vulnerability CVE-2021-4034, a privilege escalation issue in polkit’s pkexec utility, and a Mach-O bind shell backdoor. The Qualys Research Team discovered CVE-2021-4034 in November 2021, and in January 2022, the U.S.’s National Security Agency Cybersecurity Director warned that the vulnerability was being exploited in the wild.
The server also contained dual-use tools like psexec and netcat, along with a scanning tool called “fscan,” which the author defines as an “intranet scanning tool,” essentially all the necessary tools for lateral movement.
Sign Up For Threat Alerts
Jul 04, 2023
Rhysida Ransomware RaaS Crawls Out of Crimeware...
The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...
Jun 26, 2023
Operation Magalenha – Long-Running Campaign Pursues Portuguese...
The attackers can steal credentials and exfiltrate users' data and personal information, which can be...
Apr 24, 2023
Lazarus Group Adds Linux Malware to Arsenal...
Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...
Apr 23, 2023
Additional IOCs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.
Apr 23, 2023
Ex-Conti and FIN7 Actors Collaborate with New...
IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...
Apr 20, 2023
AuKill EDR killer malware abuses Process Explorer...
The AuKill tool abuses an outdated version of the driver used by version 16.32 of...
Apr 20, 2023
Fake Chrome updates spread malware
A campaign running since the end of last year is using hacked sites to push...
Apr 20, 2023
QBot using new attack vector in its...
QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...
Apr 20, 2023
CrossLock Ransomware Emerges: New Golang – Based...
The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...
Apr 20, 2023
Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...
A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
APT36 Expands Interest Within Indian Education Sector
Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...
Apr 17, 2023
ChinaZ DDoS Bot Malware Distributed To Linux...
The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...
Apr 16, 2023
Resurgence Of The Mexals Cryptojacking Campaign
The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...