New Attack Framework and RAT Strikes Impacts Windows, Linus and Mac Operating Systems

Category: Malware Campaigns | Industry: N/A | Level: Tactical | Source: Cisco Talos

Researchers from Cisco Talos have identified new tools written in Chinese, impacting Windows, Linux, and Mac operating systems. The new tools are an attack framework "Alchimist" and a remote access trojan "Insekt." Both are written in GoLang aiding in cross-platform compatibility. "Talos found this C2 on a server had a file listing active on the root directory along with a set of post-exploitation tools." Cisco Talos researchers had previously reported the emergence of the Manjusaka attack framework also written in the Chinese language, however, based on technical differences, they are assessed to be developed by different authors. "Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands." The implant for Alchimist's contains both a hard-coded C2 address and a self-signed certificate. To ensure a connection, the C2 address is pinged ten times every second. If the connection attempt fails, the implant will retry in an hour. The Insekt RAT can be downloaded via a script or from utilizing capabilities in Alchimist to spawn PowerShell or run wget commands attackers to facilitate its delivery. Talos analyzed the RAT to support commands to execute commands via cmd, upgrade the current Insekt implant, run commands as a different user, take screenshots, sleep for a length of time specified by its C2, manipulate SSH keys, conduct system, and network reconnaissance by reading file sizes, identify the OS version, scanning IPs and ports. An added module to Insekt expands its set of commands to enable user creation, manipulate the host’s firewall, and modify the registry. Cisco Talos has assessed with moderate confidence the tools Alchimist and Insekt are actively being used in the wild. With the increased availability of all-in-one frameworks, cybercriminals of all skill levels can leverage ready-made tools to launch sophisticated cyberattacks.

Anvilogic Use Cases:

• Long Established Connection Over Proxy
• Powershell ICMP Data Exfiltration
• Create/Add Local/Domain User

‍