New Chinese Alchemist attack framework serves Windows, Linux and macOS implants

Researchers have discovered a new attack framework of Chinese origin that they believe is used in nature. The framework is composed of a command and control (C2) backend called Alchemist and a customizable remote access Trojan (RAT) for Windows and Linux machines. The framework can also be used to generate PowerShell-based attack shellcode or distribute malicious implants for other platforms such as macOS.

“Our discovery of Alchemist is another indication that threat actors are rapidly adopting out-of-the-box C2 frameworks to carry out their operations,” Cisco Talos researchers said in a new report. “A similar out-of-the-box C2 framework called ‘Manjusaka’ was recently leaked by Talos.”

Alchimist is a standalone C2 backend

The Alchemist tool is written in GoLang and is deployed to servers as a single, self-contained file containing both the implants and the user interface that attackers use to interact with their victims’ systems. The fact that the backend is self-contained in a single cross-platform executable makes it easier for attackers to deploy.

Alchimist components, including the web UI, are stored in the executable file as GoLang assets and unpacked and written to a directory called /tmp/Res/ on initialization. A self-signed HTTPS certificate used by the C2 server to encrypt communication with victim implants is also written to the /tmp/ directory. The “Res” folder contains the code for the web interface and other directories, including one called Payload where the Windows and Linux binaries for a RAT called Insekt are stored.

Alchimist’s web interface uses simplified Chinese and offers several options to its users, including the ability to customize implants. Attackers can choose the communication protocols supported by the implant (TLS, SNI, and WSS/WS), the hostname or IP address of the C2 server, the platform between Windows and Linux, and whether the ‘implant will run as a daemon (service) on the targeted endpoint.

When this feature is used, the C2 tool loads the default Insekt binaries into memory and automatically fixes their code, saving the resulting binaries to a temporary directory and serving them to the attacker for download. This is a much simpler technique than compiling new binaries from source code and does not require any compilation dependencies that might not exist on the server.

While there are several similarities between Alchimist and another single-file C2 framework called Manjusaka, both being written in GoLang and offering similar functionality, including clustering of malicious implants, there are also implementation differences. While Manjusaka uses the Gin web framework to implement the user interface and uses packr for asset management, Alchimist has implemented all of its features using GoLang’s core functionality and code.

“We observed that Alchimist, in addition to standard HTTP/S, also supports protocols such as SNI, WSS/WS,” Talos researchers said. “Manjusaka, on the other hand, mentions SNI, WSS/WS on its documentation but only supports HTTP.”

Another cool feature of Alchimist is that in addition to customizing the Insekt RAT, it allows attackers to generate PowerShell and wget code snippets to download the Insekt RAT from the C2 server. Attackers can embed these code snippets into other infection mechanisms such as malicious documents or malicious LNK files.

On an active C2 server they scanned, the researchers also found a malicious executable written in GoLang for macOS. This executable acts as a malware dropper and attempts to elevate privileges by exploiting the PwnKit vulnerability in polkit’s pkexec utility (CVE-2021-4034). What’s interesting is that polkit is not a default utility on macOS and is more commonly found on Linux. In fact, researchers also found the Linux variant of the same exploit on the server.

The macOS dropper, if successful, would open a reverse shell on the infected machine, giving attackers remote control over it. The researchers also found Windows shellcode associated with Meterpreter, the implementer of the Metasploit penetration testing framework.

Insekt is a complete RAT

The Insekt implant associated with Alchimist is also written in GoLang, which makes it cross-platform. It offers attackers a variety of features, including collecting identifiable information about the victim’s system, taking screenshots, executing commands as a specified user, executing shellcode, analysis of IP addresses and port numbers on the network, manipulation of SSH keys and proxy connections.

The Linux variant lists the contents of the .ssh directory where the user’s SSH configuration is normally found. It then attempts to add new SSH keys to the authorized_keys file which allows an attacker to log into the system directly via SSH using their own keys.

The RAT also implements PowerShell, bash, and cmd.exe-based interactive shells through which attackers can execute predefined sets of commands on systems. A module called “Command Line Interface (CLI)” further allows attackers to perform various actions such as browsing directories, enumerating files inside, downloading files from remote locations, decompressing files and writing files to disk.

“The functionality of the Manjusaka and Alchimist web interfaces exhibiting remote administration capabilities, executed through the RATs, signifies the plethora of functionality built into these C2 frameworks,” the researchers said. “A malicious actor gaining privileged access to the shell on a victim’s machine is like having a Swiss army knife, allowing arbitrary commands or shellcode to be executed in the victim’s environment, causing significant effects on target organization.”

Copyright © 2022 IDG Communications, Inc.

Comments are closed.