A new malicious framework has been discovered, featuring a command and control server and a new malware known as Insekt.
Alchimist Framework Technical Overview
Called Alchimist, the framework has a web interface written in Simplified Chinese and implemented in GoLang, and comes equipped with remote administration features. Alchimist has been designed to target Windows, macOS and Linux, and is very similar to another recently discovered, self-contained framework dubbed Manjusaka.
It is noteworthy that the campaign consists of “additional bespoke tools such as a macOS exploitation tool, a custom backdoor and multiple off-the-shelf tools such as reverse proxies,” Cisco Talos said in a detailed report.
The researchers describe the attack framework as a “new single-file command and control framework”. It was discovered on a server that had a file listing active on the root directory along with several post-exploitation tools. The team believes that Alchimist is currently used in the wild.
“”Alchimist” is a 64-bit Linux executable written in GoLang and packed with assets including resources for the web interface and Insekt RAT payloads compiled for Windows and Linux. Insekt RAT, a new trojan Cisco Talos discovered, is Alchimist’s beacon implant written in GoLang and has a variety of remote access capabilities that can be instrumented by the Alchimist C2 server,” the report explained.
Insekt Malware Overview of Capabilities
As already mentioned, the framework comes with a new malware – Insekt.
Insekt is a 64-bit implant written in GoLang, compiled for Windows and Linux environments with a variety of RAT capabilities, the report said, all meant to execute the Alchimist command and control server. The malware has seven primary capabilities, including:
- Obtaining file sizes.
- Getting OS information.
- Running arbitrary commands via cmd[.]exe.
- Upgrading the current Insekt implant.
- Running arbitrary commands as a different user.
- Sleeping for periods of time defined by the C2.
- Start/stop taking screenshots.
Cisco Talos’s discovery of Alchimist is “yet another indication that threat actors are rapidly adopting off-the-shelf C2 frameworks to carry out their operations,” the report concluded.
It is noteworthy that in July 2022, Intezer security researchers detailed the discovery of another previously undetected malware framework specifically designed to target the Linux environment. Called Lightning Framework, the malware also showcased sophisticated capabilities, and was described as “an intricate framework developed for targeting Linux systems.”