New Chinese Malware Framework Attack Windows, Linux & Mac Systems

The cybersecurity researchers at Cisco Talos have recently identified that the following systems are likely to be targeted with the use of an undocumented C2 framework titled Alchimist:-

  • Windows
  • macOS
  • Linux

A beacon implant called Insekt complements the Alchimist C2 framework, written in the GoLang language. In addition to remote access features, the Alchimist C2 framework could be instrumented by the C2 server so that it can be used with automation.

Technical Analysis of Alchimist

While an Insekt rat is released as part of the Chinese Alchemist framework to facilitate automated attacks.

A number of 64-bit executables have been written in GoLang under the Alchimist C2 framework. It is possible to integrate these executables with a wide range of major operating systems since all these executables make compatibility easier and more convenient.

Alchimist has a very similar interface to Manjusaka, a framework that has been gaining much popularity among Chinese hackers. Apart from this, one of the most interesting things about Alchimist is that its web interface is offered in simplified Chinese.

On the infected devices, the operators can generate and configure the payloads using Alchimist, and not only that, it also offers an intuitive and easy-to-use platform that enables them to do the following illicit things:-

  • Take screenshot remotely
  • Execute arbitrary commands
  • Remote shellcode execution

Insekt Implant Infection Chain

The Alchimist can be customized to drop the following elements to deploy the trojan through custom infection mechanisms:- 

  • Insekt RAT trojan
  • Snippets of PowerShell code (for Windows)
  • wget (for Linux)

A self-signed certificate was generated at compiler time and embedding it in the implant contains the address of a C&C server that is hardcoded into the implant. 

According to the Talos report, a ping operation will then be carried out with 10 attempts per second on the C&C server address. A malware program, however, will try to establish the connection again after one hour if all previous attempts to establish one failed.

On the infected Windows and Linux systems, the commands delivered by the Alchemist server are executed by the Insekt implant. 

Here, we have outlined below the illicit actions that Insekt can do on the infected systems:-

  • Get file sizes
  • Get OS information
  • Run arbitrary commands via cmd[.]exe
  • Ability to create new user
  • Manipulate SSH keys
  • Upgrade the current Insekt implant
  • Perform port and IP scans
  • Run arbitrary commands as a different user
  • Sleep for periods of time defined by the C2
  • Execute shellcode on host
  • Start/stop taking screenshots
  • Disable firewall
  • Act as a proxy using SOCKS5
  • Write files to disk
  • Unpack files to disk

Moreover, to make things more convenient for the operator, in the victim’s home directory all the contents of the “.ssh” directory are listed by the Insekt implant’s Linux variant.

After that to the ~/.ssh/authorized_keys file, all the newly created SSH keys were added by it. Then to establish a connection with the victim’s device C&C via SSH, the attacker uses this.  

Cybersecurity experts have hinted that Alchimist is one of the best options for novice threat actors who don’t have any advanced knowledge of building any complex components through which sophisticated cyberattacks are carried out.

Cyber Attack with Zero Trust Networking – Download Free E-Book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.