New Chinese malware attack framework targets Windows, macOS and Linux systems

A previously undocumented command and control (C2) framework called Alchemist is likely used in the wild to target Windows, macOS, and Linux systems.

“Alchimist C2 has a web interface written in Simplified Chinese and can generate configured payload, establish remote sessions, deploy payload to remote machines, capture screenshots, perform remote shellcode execution and execute arbitrary commands”, Cisco Talos said in a report shared with The Hacker News.

Written in GoLang, Alchimist is complemented by a beacon implant called Insekt, which comes with remote access functionality that can be instrumented by the C2 server.

cyber security

The discovery of Alchemist and its family of malicious implants comes three months after Talos also detailed another standalone framework known as Manjusaka, which was vaunted as “Chinese brother of Sliver and Cobalt Strike”.

More interestingly, Manjusaka and Alchimist offer similar functionality, despite implementation differences when it comes to web interfaces.

The Alchimist C2 panel further provides the ability to generate PowerShell and wget code snippets for Windows and Linux, potentially allowing an attacker to flesh out their infection chains to distribute the Insekt RAT payload.

The instructions could then be embedded in a maldoc attached to a phishing email which, when opened, downloads and launches the backdoor on the compromised machine.

The Trojan, for its part, is equipped with features typically found in backdoors of this type, allowing the malware to obtain system information, capture screenshots, execute arbitrary commands, and download remote files, among others.

cyber security

Moreover, the Linux version of Insekt is able to list the contents of the “.ssh” directory and even add new SSH keys to the “~/.ssh/authorized_keys” file to facilitate remote access via SSH.

But in a sign that the threat actor behind the operation also has macOS in its sights, Talos said it discovered a Mach-O dropper that exploits the PwnKit vulnerability (CVE-2021-4034) to gain elevation. privileges.

“However, this [pkexec] is not installed on MacOSX by default, which means elevation of privilege is not guaranteed,” Talos noted.

The overlapping functions, Manjusaka and Alchemist, indicate an increase in the use of “all-inclusive C2 frameworks” that can be used for remote administration and command and control.

“A malicious actor gaining privileged access to the shell on a victim’s machine is like having a Swiss army knife, allowing arbitrary commands or shellcode to be executed in the victim’s environment, causing significant effects on the target organization,” the researchers said.

Comments are closed.