New Chinese attack framework Alchimist serves Windows, Linux, and macOS implants

Researchers have discovered a new attack framework of Chinese origin that they believe is being used in the wild. The framework is made up of a command-and-control (C2) backend dubbed Alchimist and an accompanying customizable remote access Trojan (RAT) for Windows and Linux machines. The framework can also be used to generate PowerShell-based attack shellcode or distribute malicious implants for other platforms such as macOS.

“Our discovery of Alchimist is yet another indication that threat actors are rapidly adopting off-the-shelf C2 frameworks to carry out their operations,” researchers from Cisco Talos said in a new report. “A similar ready-to-go C2 framework called ‘Manjusaka’ was recently disclosed by Talos.”

Alchimist is a self-contained C2 backend

The Alchimist tool is written in GoLang and is deployed on servers as a single standalone file that contains both the implants as well as the user interface that attackers use to interact with their victims’ systems. The fact that the backend is self-contained in a single cross-platform executable makes it easy for attackers to deploy.

The components of Alchimist, including the web-based user interface, are stored in the executable file as GoLang assets and unpacked and written to a directory called /tmp/Res/ upon initialization. A self-signed HTTPS certificate that is used by the C2 server to encrypt communication with victim implants is also written in the /tmp/ directory. The “Res” folder contains web interface code and other directories, including one called Payload where Windows and Linux binaries for a RAT called Insekt are stored.

The Alchimist web interface uses simplified Chinese and provides several options to its users including the ability to customize implants. Attackers can choose the communication protocols supported by the implant (TLS, SNI, and WSS/WS), the hostname or IP for the C2 server, the platform between Windows and Linux, and whether the implant will run as a daemon (service) on the targeted endpoint.

When this feature is used, the C2 tool will load the default Insekt binaries into memory and automatically patch their code, saving the resulting binaries in a temporary directory and serving them to the attacker to download. This is a much simpler technique than compiling new binaries from source code and does not require any compiling dependencies that might not exist on the server.

While there are several similarities between Alchimist and a different single-file C2 framework called Manjusaka with both being written in GoLang and offering similar functionality, including bundling the malicious implants, there are also implementation differences. While Manjusaka uses the Gin web framework to implement the user interface and uses packr for asset management, Alchimist implemented all its functionality using basic GoLang features and code.

“We’ve observed that Alchimist, apart from the regular HTTP/S, also supports protocols like SNI, WSS/WS,” the Talos researchers said. “Manjusaka, on the other hand, mentions SNI, WSS/WS on its documentation but only supports HTTP.”

Another interesting feature of Alchimist is that in addition to customizing the Insekt RAT, it allows attackers to generate PowerShell and wget code snippets to download the Insekt RAT from the C2 server. Attackers can integrate these code snippets into other infection mechanisms such as malicious documents or malicious LNK files.

On an active C2 server they analyzed, the researchers also found a malicious executable written in GoLang for macOS. This executable acts like a malware dropper and attempts to elevate privileges by exploiting the PwnKit vulnerability in polkit’s pkexec utility (CVE-2021-4034). What’s interesting is that polkit is not a default utility on macOS and is more commonly found on Linux. In fact, the researchers also found the Linux variant of the same exploit on the server.

The macOS dropper, if successful, would open a reverse shell on the infected machine, giving attackers remote control over it. The researchers also found Windows shellcode associated with Meterpreter, the implant agent from the Metasploit penetration testing framework.

Insekt is a fully featured RAT

The Insekt implant that’s associated with Alchimist is also written in GoLang, making it cross-platform. It provides attackers with a variety of capabilities, including gathering identifiable information about the victim’s system, taking screenshots, executing commands as a specified user, executing shellcode, scanning IP and port numbers on the network, SSH key manipulation, and proxying connections.

The Linux variant lists the contents of the .ssh directory when the user’s SSH configuration is normally located. It then attempts to add new SSH keys to the authorised_keys file which allows an attacker to connect directly to the system via SSH using their own keys.

The RAT also implements interactive shells based on PowerShell, bash and cmd.exe through which attackers can execute predefined sets of commands on the systems. A module called “Command Line Interface (CLI)” further allows attackers to perform various actions such as navigating through directories, enumerating files inside, downloading files from remote locations, unzipping files, and writing files to disk.

“The functionality of Manjusaka and Alchimist’s web interfaces exhibiting remote administration capabilities, performed through the RATs, signifies the plethora of functionalities packed into these C2 frameworks,” the researchers said. “A threat actor gaining privileged shell access on a victim’s machine is like having a Swiss Army knife, enabling the execution of arbitrary commands or shellcodes in the victim’s environment, resulting in significant effects on the target organization.”